| Offset 1, 6 lines modified | Offset 1, 6 lines modified | ||
| 1 | · | 1 | ·863c3c1959e92a341d3b8732f47c402d·135412·admin·optional·ssg-applications_0.1.39-2_all.deb |
| 2 | ·4c0015be793df1ca99454c137ac6ffdb·22640·admin·optional·ssg-base_0.1.39-2_all.deb | 2 | ·4c0015be793df1ca99454c137ac6ffdb·22640·admin·optional·ssg-base_0.1.39-2_all.deb |
| 3 | · | 3 | ·91c0110746bb31c778dbc08ab7674e54·167384·admin·optional·ssg-debderived_0.1.39-2_all.deb |
| 4 | · | 4 | ·856173a94ffe449151bf3fb163a73263·155452·admin·optional·ssg-debian_0.1.39-2_all.deb |
| 5 | · | 5 | ·88a7d1b1b4d60554bfc099b46f80bc85·5248956·admin·optional·ssg-nondebian_0.1.39-2_all.deb |
| Offset 1, 3 lines modified | Offset 1, 3 lines modified | ||
| 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary | 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary |
| 2 | -rw-r--r--···0········0········0·····182 | 2 | -rw-r--r--···0········0········0·····1820·2018-07-26·14:58:28.000000·control.tar.xz |
| 3 | -rw-r--r--···0········0········0···133 | 3 | -rw-r--r--···0········0········0···133400·2018-07-26·14:58:28.000000·data.tar.xz |
| Offset 491, 23 lines modified | Offset 491, 24 lines modified | ||
| 491 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 491 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 492 | if·!·[·$?·-eq·0·]·;·then | 492 | if·!·[·$?·-eq·0·]·;·then |
| 493 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 493 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 494 | else | 494 | else |
| 495 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 495 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 496 | fi | 496 | fi |
| 497 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_ | 497 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization"·id="guide-tree-leaf-idm1629"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization">Require·Outdated·Plugins·to·be·Authorized |
| 498 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_ | 498 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Chromium·should·prompt·users·for·authorization·to·run·outdated·plugins.·This |
| 499 | 499 | can·be·enabled·by·setting·<code>AlwaysAuthorizePlugins</code>·to·<code>false</code> | |
| 500 | in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p> | 500 | in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Outdated·plugins·can·compromise·security·and·should·request·authorization·from |
| 501 | the·user·before·running.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 501 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 502 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 502 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 503 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 503 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC001 | 504 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0014</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1637">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1637"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json" |
| 504 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 505 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 505 | POL_SETTING=" | 506 | POL_SETTING="AlwaysAuthorizePlugins" |
| 506 | POL_SETTING_VAL="false" | 507 | POL_SETTING_VAL="false" |
| 507 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 508 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 508 | if·!·[·$?·-eq·0·]·;·then | 509 | if·!·[·$?·-eq·0·]·;·then |
| 509 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 510 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 510 | else | 511 | else |
| Offset 816, 24 lines modified | Offset 817, 23 lines modified | ||
| 816 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 817 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 817 | if·!·[·$?·-eq·0·]·;·then | 818 | if·!·[·$?·-eq·0·]·;·then |
| 818 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 819 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 819 | else | 820 | else |
| 820 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 821 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 821 | fi | 822 | fi |
| 822 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_ | 823 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_cleartext_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_cleartext_passwords"·id="guide-tree-leaf-idm1847"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_cleartext_passwords">Disable·Use·of·Cleartext·Passwords |
| 823 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_ | 824 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_cleartext_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Chromium·allows·users·to·import·and·store·passwords·in·cleartext.·This·should·be· |
| 824 | 825 | disabled·by·setting·<code>PasswordManagerAllowShowPasswords</code>·to·<code>false</code> | |
| 825 | in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p> | 826 | in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Cleartext·passwords·would·allow·another·individual·to·see·password·via·shoulder·surfing.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 826 | the·user·before·running.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 827 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 827 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 828 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 828 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 829 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC001 | 829 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0010</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1855">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1855"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json" |
| 830 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 830 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 831 | POL_SETTING=" | 831 | POL_SETTING="PasswordManagerAllowShowPasswords" |
| 832 | POL_SETTING_VAL="false" | 832 | POL_SETTING_VAL="false" |
| 833 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 833 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 834 | if·!·[·$?·-eq·0·]·;·then | 834 | if·!·[·$?·-eq·0·]·;·then |
| 835 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 835 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 836 | else | 836 | else |
| Offset 48, 31 lines modified | Offset 48, 31 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences- | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_firefox">Firefox | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_firefox">Firefox |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla. | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla. |
| 58 | Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section· | 58 | Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section· |
| 59 | provides·settings·for·configuring·Firefox·policies·to·meet·compliance· | 59 | provides·settings·for·configuring·Firefox·policies·to·meet·compliance· |
| 60 | settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems. | 60 | settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems. |
| 61 | <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li> | 61 | <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li> |
| 62 | for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences- | 62 | for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data |
| 63 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data | ||
| 64 | operation·when·closing·the·browser·in·order·to·clear·cookies·and·other | ||
| 65 | data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings | ||
| 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required | ||
| 63 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Shared·System·Certificates·store·contains·certificates·that | 67 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Shared·System·Certificates·store·contains·certificates·that |
| 64 | applications·can·access·for·a·single·certificate·repository. | 68 | applications·can·access·for·a·single·certificate·repository. |
| 65 | If·enabled,·Firefox·can·access·that·single·system·certificate | 69 | If·enabled,·Firefox·can·access·that·single·system·certificate |
| 66 | repository.·If·the·DoD·root·certificate·is·also·installed·into | 70 | repository.·If·the·DoD·root·certificate·is·also·installed·into |
| 67 | the·shared·system·certificate·repository,·Firefox·will·see·and· | 71 | the·shared·system·certificate·repository,·Firefox·will·see·and· |
| 68 | use·the·DoD·root·certificate·as·a·valid·certificate·authority.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><t | 72 | use·the·DoD·root·certificate·as·a·valid·certificate·authority.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr></tbody></table></div><div·id="rear-matter"><div·class="row·top-spacer-10"><div·class="col-md-12·well·well-lg"><div·class="rear-matter">Red·Hat·and·Red·Hat·Enterprise·Linux·are·either·registered |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data | ||
| 70 | operation·when·closing·the·browser·in·order·to·clear·cookies·and·other | ||
| 71 | data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings | ||
| 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr></tbody></table></div><div·id="rear-matter"><div·class="row·top-spacer-10"><div·class="col-md-12·well·well-lg"><div·class="rear-matter">Red·Hat·and·Red·Hat·Enterprise·Linux·are·either·registered | ||
| 73 | trademarks·or·trademarks·of·Red·Hat,·Inc.·in·the·United·States·and·other | 73 | trademarks·or·trademarks·of·Red·Hat,·Inc.·in·the·United·States·and·other |
| 74 | countries.·All·other·names·are·registered·trademarks·or·trademarks·of·their | 74 | countries.·All·other·names·are·registered·trademarks·or·trademarks·of·their |
| 75 | respective·companies. | 75 | respective·companies. |
| 76 | </div></div></div></div></div></div><footer·id="footer"><div·class="container"><p·class="muted·credit"> | 76 | </div></div></div></div></div></div><footer·id="footer"><div·class="container"><p·class="muted·credit"> |
| 77 | ················Generated·using·<a·href="http://open-scap.org">OpenSCAP</a>·1.2.16</p></div></footer></body></html> | 77 | ················Generated·using·<a·href="http://open-scap.org">OpenSCAP</a>·1.2.16</p></div></footer></body></html> |
| Offset 59, 67 lines modified | Offset 59, 34 lines modified | ||
| 59 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 59 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 60 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 60 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 61 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 61 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 62 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 62 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 63 | quality,·reliability,·or·any·other·characteristic. | 63 | quality,·reliability,·or·any·other·characteristic. |
| 64 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Upstream·Firefox·STIG</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-firefox-upstream</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 64 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Upstream·Firefox·STIG</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-firefox-upstream</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 65 | ····························(as·of·2018-07-26) | 65 | ····························(as·of·2018-07-26) |
| 66 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences- | 66 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·0px"><small>contains·28·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_firefox">Firefox |
| 67 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla. | 67 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla. |
| 68 | Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section· | 68 | Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section· |
| 69 | provides·settings·for·configuring·Firefox·policies·to·meet·compliance· | 69 | provides·settings·for·configuring·Firefox·policies·to·meet·compliance· |
| 70 | settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems. | 70 | settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems. |
| 71 | <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li> | 71 | <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li> |
| 72 | for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><small>contains·28·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences- | 72 | for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><small>contains·28·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Shared·System·Certificates·store·contains·certificates·that | ||
| 74 | applications·can·access·for·a·single·certificate·repository. | ||
| 75 | If·enabled,·Firefox·can·access·that·single·system·certificate | ||
| 76 | repository.·If·the·DoD·root·certificate·is·also·installed·into | ||
| 77 | the·shared·system·certificate·repository,·Firefox·will·see·and· | ||
| 78 | use·the·DoD·root·certificate·as·a·valid·certificate·authority.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed"·id="guide-tree-leaf-idm1055"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed">The·DoD·Root·Certificate·Exists | ||
| 79 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·DoD·root·certificate·should·be·installed·in·the·Shared·System·Certificates·store | ||
| 80 | for·Firefox·to·be·able·to·access·the·DoD·certificate.·To·install·the·root·certificated | ||
| 81 | into·the·Shared·System·Certificates·store,·copy·the·DoD·root·certificate·into | ||
| 82 | <code>/etc/pki/ca-trust/source/anchors</code>.·Once·the·file·is·copied,·run·the·following | ||
| 83 | command: | ||
| 84 | <pre>$·sudo·update-ca-trust·extract</pre></p><span·class="label·label-primary">Rationale:</span><p>The·DOD·root·certificate·will·ensure·that·the·trust·chain·is | ||
| 85 | established·for·server·certificates·issued·from·the·DOD·CA.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 86 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 87 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27457-1">CCE-27457-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 88 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000054</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust"·id="guide-tree-leaf-idm1066"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust">Enable·Shared·System·Certificates | ||
| 89 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Shared·System·Certificates·store·makes·NSS,·GnuTLS,·OpenSSL,·and·Java | ||
| 90 | share·a·default·source·for·retrieving·system·certificate·anchors·and·blacklist | ||
| 91 | information.·Firefox·has·the·capability·of·using·this·centralized·store·for·its | ||
| 92 | CA·certificates.·If·the·Shared·System·Certificates·store·is·disabled,·it·can | ||
| 93 | be·enabled·by·running·the·following·command: | ||
| 94 | <pre>$·sudo·update-ca-trust·enable</pre></p><span·class="label·label-primary">Rationale:</span><p>The·DOD·root·certificate·will·ensure·that·the·trust·chain·is | ||
| 95 | established·for·server·certificates·issued·from·the·DOD·CA.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 96 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 97 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27457-1">CCE-27457-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 98 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000054</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1074">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1074"><pre><code>P11=$(readlink·/etc/alternatives/libnssckbi.so*) | ||
| 99 | P11LIB="/usr/lib/pkcs11/p11-kit-trust.so" | ||
| 100 | P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so" | ||
| 101 | if·!·[[·${P11}·==·"${P11LIB64}"·]]·||·!·[[·${P11}·==·"${P11LIB}"·]]·;·then | ||
| 102 | ···/usr/bin/update-ca-trust·enable | ||
| 103 | fi | ||
| 104 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data | ||
| 105 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data |
| 106 | operation·when·closing·the·browser·in·order·to·clear·cookies·and·other | 74 | operation·when·closing·the·browser·in·order·to·clear·cookies·and·other |
| 107 | data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·id="guide-tree-leaf-idm10 | 75 | data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·id="guide-tree-leaf-idm1055"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice">Disable·User·Prompt·When·Data·Is·Cleared |
| 108 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·users·are·asked·if·it·is·okay·to·clear·out·cookies·and·data | 76 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·users·are·asked·if·it·is·okay·to·clear·out·cookies·and·data |
| 109 | when·Firefox·closes.·This·can·be·disabled·by· | 77 | when·Firefox·closes.·This·can·be·disabled·by· |
| 110 | setting·<code>privacy.sanitize.promptOnSanitize</code>·to·<code>false</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware. | 78 | setting·<code>privacy.sanitize.promptOnSanitize</code>·to·<code>false</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware. |
| 111 | To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private | 79 | To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private |
| 112 | Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and | 80 | Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and |
| 113 | other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 81 | other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 82 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 115 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 83 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 116 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm10 | 84 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1065">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1065"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the |
| 117 | #·preference·if·it·does·not·exist. | 85 | #·preference·if·it·does·not·exist. |
| 118 | # | 86 | # |
| 119 | #·Expects·three·arguments: | 87 | #·Expects·three·arguments: |
| 120 | # | 88 | # |
| 121 | #·config_file:··········Configuration·file·that·will·be·modified | 89 | #·config_file:··········Configuration·file·that·will·be·modified |
| 122 | #·key:··················Configuration·option·to·change | 90 | #·key:··················Configuration·option·to·change |
| 123 | #·value:················Value·of·the·configuration·option·to·change | 91 | #·value:················Value·of·the·configuration·option·to·change |
| Offset 168, 24 lines modified | Offset 135, 24 lines modified | ||
| 168 | ········echo·"lockPref(\"${key}\",·${value});"·>>·"${firefox_dir}/${firefox_cfg}" | 135 | ········echo·"lockPref(\"${key}\",·${value});"·>>·"${firefox_dir}/${firefox_cfg}" |
| 169 | ······fi | 136 | ······fi |
| 170 | ····fi | 137 | ····fi |
| 171 | ··done | 138 | ··done |
| 172 | } | 139 | } |
| 173 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false" | 140 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false" |
| 174 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·id="guide-tree-leaf-idm10 | 141 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·id="guide-tree-leaf-idm1071"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear">Clear·Data·When·Firefox·Closes |
| 175 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>When·a·user·browses·to·a·website,·cookies·and·other·types·of·data | 142 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>When·a·user·browses·to·a·website,·cookies·and·other·types·of·data |
| 176 | get·stored·on·the·system.·This·can·be·disabled·by·setting | 143 | get·stored·on·the·system.·This·can·be·disabled·by·setting |
| 177 | <code>privacy.sanitize.sanitizeOnShutdown</code>·to·<code>true</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware. | 144 | <code>privacy.sanitize.sanitizeOnShutdown</code>·to·<code>true</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware. |
| 178 | To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private | 145 | To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private |
| 179 | Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and | 146 | Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and |
| 180 | other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 147 | other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 181 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 148 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 182 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 149 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 183 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1 | 150 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1081">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1081"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the |
| 184 | #·preference·if·it·does·not·exist. | 151 | #·preference·if·it·does·not·exist. |
| 185 | # | 152 | # |
| 186 | #·Expects·three·arguments: | 153 | #·Expects·three·arguments: |
| 187 | # | 154 | # |
| 188 | #·config_file:··········Configuration·file·that·will·be·modified | 155 | #·config_file:··········Configuration·file·that·will·be·modified |
| 189 | #·key:··················Configuration·option·to·change | 156 | #·key:··················Configuration·option·to·change |
| 190 | #·value:················Value·of·the·configuration·option·to·change | 157 | #·value:················Value·of·the·configuration·option·to·change |
| Offset 235, 22 lines modified | Offset 202, 22 lines modified | ||
| 235 | ······fi | 202 | ······fi |
| 236 | ····fi | 203 | ····fi |
| 237 | ··done | 204 | ··done |
| 238 | } | 205 | } |
| 239 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true" | 206 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true" |
| 240 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings | 207 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings |
| 241 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·id="guide-tree-leaf-idm1 | 208 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·id="guide-tree-leaf-idm1090"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure">Disable·Firefox·Configuration·File·ROT-13·Encoding |
| 242 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Disable·ROT-13·encoding·by·setting·<code>general.config.obscure_value</code> | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Disable·ROT-13·encoding·by·setting·<code>general.config.obscure_value</code> |
| 243 | to·<code>0</code>.</p><span·class="label·label-primary">Rationale:</span><p>ROT-13·encoded·prevents·system·adminstrators·from·easily·configuring | 210 | to·<code>0</code>.</p><span·class="label·label-primary">Rationale:</span><p>ROT-13·encoded·prevents·system·adminstrators·from·easily·configuring |
| 244 | and·deploying·Firefox·configuration·settings.·It·also·prevents·validating | 211 | and·deploying·Firefox·configuration·settings.·It·also·prevents·validating |
| 245 | settings·easily·from·automated·security·tools.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 212 | settings·easily·from·automated·security·tools.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 246 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 213 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 247 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 214 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 248 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-21889r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm11 | 215 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-21889r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1100">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1100"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the |
| 249 | #·preference·if·it·does·not·exist. | 216 | #·preference·if·it·does·not·exist. |
| 250 | # | 217 | # |
| 251 | #·Expects·three·arguments: | 218 | #·Expects·three·arguments: |
| 252 | # | 219 | # |
| 253 | #·config_file:··········Configuration·file·that·will·be·modified | 220 | #·config_file:··········Configuration·file·that·will·be·modified |
| 254 | #·key:··················Configuration·option·to·change | 221 | #·key:··················Configuration·option·to·change |
| 255 | #·value:················Value·of·the·configuration·option·to·change | 222 | #·value:················Value·of·the·configuration·option·to·change |
| Offset 312, 22 lines modified | Offset 279, 22 lines modified | ||
| 312 | ······fi | 279 | ······fi |
| 313 | ····fi | 280 | ····fi |
| 314 | ··done | 281 | ··done |
| 315 | } | 282 | } |
| 316 | firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" | 283 | firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" |
| 317 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·id="guide-tree-leaf-idm11 | 284 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·id="guide-tree-leaf-idm1106"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file">Set·Firefox·Configuration·File·Location |
| 318 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Specify·the·Firefox·configuration·file·location·by·setting· | 285 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Specify·the·Firefox·configuration·file·location·by·setting· |
| 319 | <code>general.config.filename</code>·to·the·configuration·(i.e.·<code>mozilla.cfg</code>) | 286 | <code>general.config.filename</code>·to·the·configuration·(i.e.·<code>mozilla.cfg</code>) |
| 320 | filename·that·contains·the·Firefox·security·preferences.</p><span·class="label·label-primary">Rationale:</span><p>Locked·settings·prevents·users·from·accessing·about:config·and·changing | 287 | filename·that·contains·the·Firefox·security·preferences.</p><span·class="label·label-primary">Rationale:</span><p>Locked·settings·prevents·users·from·accessing·about:config·and·changing |
| Max diff block lines reached; 11044/39250 bytes (28.14%) of diff not shown. | |||
| Offset 409, 30 lines modified | Offset 409, 30 lines modified | ||
| 409 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 409 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 410 | else | 410 | else |
| 411 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 411 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 412 | fi | 412 | fi |
| 413 | #·END·fix·for·'chromium_default_block_plugins' | 413 | #·END·fix·for·'chromium_default_block_plugins' |
| 414 | ############################################################################### | 414 | ############################################################################### |
| 415 | #·BEGIN·fix·(21·/·37)·for·'chromium_ | 415 | #·BEGIN·fix·(21·/·37)·for·'chromium_plugins_require_authorization' |
| 416 | ############################################################################### | 416 | ############################################################################### |
| 417 | (>&2·echo·"Remediating·rule·21/37:·'chromium_ | 417 | (>&2·echo·"Remediating·rule·21/37:·'chromium_plugins_require_authorization'") |
| 418 | CHROME_POL_FILE="chrome_stig_policy.json" | 418 | CHROME_POL_FILE="chrome_stig_policy.json" |
| 419 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 419 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 420 | POL_SETTING=" | 420 | POL_SETTING="AlwaysAuthorizePlugins" |
| 421 | POL_SETTING_VAL="false" | 421 | POL_SETTING_VAL="false" |
| 422 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 422 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 423 | if·!·[·$?·-eq·0·]·;·then | 423 | if·!·[·$?·-eq·0·]·;·then |
| 424 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 424 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 425 | else | 425 | else |
| 426 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 426 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 427 | fi | 427 | fi |
| 428 | #·END·fix·for·'chromium_ | 428 | #·END·fix·for·'chromium_plugins_require_authorization' |
| 429 | ############################################################################### | 429 | ############################################################################### |
| 430 | #·BEGIN·fix·(22·/·37)·for·'chromium_enable_safe_browsing' | 430 | #·BEGIN·fix·(22·/·37)·for·'chromium_enable_safe_browsing' |
| 431 | ############################################################################### | 431 | ############################################################################### |
| 432 | (>&2·echo·"Remediating·rule·22/37:·'chromium_enable_safe_browsing'") | 432 | (>&2·echo·"Remediating·rule·22/37:·'chromium_enable_safe_browsing'") |
| 433 | CHROME_POL_FILE="chrome_stig_policy.json" | 433 | CHROME_POL_FILE="chrome_stig_policy.json" |
| 434 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 434 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| Offset 703, 24 lines modified | Offset 703, 24 lines modified | ||
| 703 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 703 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 704 | else | 704 | else |
| 705 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 705 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 706 | fi | 706 | fi |
| 707 | #·END·fix·for·'chromium_disable_cloud_print_sharing' | 707 | #·END·fix·for·'chromium_disable_cloud_print_sharing' |
| 708 | ############################################################################### | 708 | ############################################################################### |
| 709 | #·BEGIN·fix·(37·/·37)·for·'chromium_ | 709 | #·BEGIN·fix·(37·/·37)·for·'chromium_disable_cleartext_passwords' |
| 710 | ############################################################################### | 710 | ############################################################################### |
| 711 | (>&2·echo·"Remediating·rule·37/37:·'chromium_ | 711 | (>&2·echo·"Remediating·rule·37/37:·'chromium_disable_cleartext_passwords'") |
| 712 | CHROME_POL_FILE="chrome_stig_policy.json" | 712 | CHROME_POL_FILE="chrome_stig_policy.json" |
| 713 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 713 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 714 | POL_SETTING=" | 714 | POL_SETTING="PasswordManagerAllowShowPasswords" |
| 715 | POL_SETTING_VAL="false" | 715 | POL_SETTING_VAL="false" |
| 716 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 716 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 717 | if·!·[·$?·-eq·0·]·;·then | 717 | if·!·[·$?·-eq·0·]·;·then |
| 718 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 718 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 719 | else | 719 | else |
| 720 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 720 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 721 | fi | 721 | fi |
| 722 | #·END·fix·for·'chromium_ | 722 | #·END·fix·for·'chromium_disable_cleartext_passwords' |
| Offset 29, 37 lines modified | Offset 29, 17 lines modified | ||
| 29 | # | 29 | # |
| 30 | #·How·to·apply·this·remediation·role: | 30 | #·How·to·apply·this·remediation·role: |
| 31 | #·$·sudo·./remediation-role.sh | 31 | #·$·sudo·./remediation-role.sh |
| 32 | # | 32 | # |
| 33 | ############################################################################### | 33 | ############################################################################### |
| 34 | ############################################################################### | 34 | ############################################################################### |
| 35 | #·BEGIN·fix·(1·/·28)·for·'firefox_preferences- | 35 | #·BEGIN·fix·(1·/·28)·for·'firefox_preferences-cookies_user_notice' |
| 36 | ############################################################################### | 36 | ############################################################################### |
| 37 | (>&2·echo·"Remediating·rule·1/28:·'firefox_preferences- | 37 | (>&2·echo·"Remediating·rule·1/28:·'firefox_preferences-cookies_user_notice'") |
| 38 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 39 | #·END·fix·for·'firefox_preferences-dod_root_certificate_installed' | ||
| 40 | ############################################################################### | ||
| 41 | #·BEGIN·fix·(2·/·28)·for·'firefox_preferences-enable_ca_trust' | ||
| 42 | ############################################################################### | ||
| 43 | (>&2·echo·"Remediating·rule·2/28:·'firefox_preferences-enable_ca_trust'") | ||
| 44 | P11=$(readlink·/etc/alternatives/libnssckbi.so*) | ||
| 45 | P11LIB="/usr/lib/pkcs11/p11-kit-trust.so" | ||
| 46 | P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so" | ||
| 47 | if·!·[[·${P11}·==·"${P11LIB64}"·]]·||·!·[[·${P11}·==·"${P11LIB}"·]]·;·then | ||
| 48 | ···/usr/bin/update-ca-trust·enable | ||
| 49 | fi | ||
| 50 | #·END·fix·for·'firefox_preferences-enable_ca_trust' | ||
| 51 | ############################################################################### | ||
| 52 | #·BEGIN·fix·(3·/·28)·for·'firefox_preferences-cookies_user_notice' | ||
| 53 | ############################################################################### | ||
| 54 | (>&2·echo·"Remediating·rule·3/28:·'firefox_preferences-cookies_user_notice'") | ||
| 55 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the | 38 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the |
| 56 | #·preference·if·it·does·not·exist. | 39 | #·preference·if·it·does·not·exist. |
| 57 | # | 40 | # |
| 58 | #·Expects·three·arguments: | 41 | #·Expects·three·arguments: |
| 59 | # | 42 | # |
| 60 | #·config_file:··········Configuration·file·that·will·be·modified | 43 | #·config_file:··········Configuration·file·that·will·be·modified |
| 61 | #·key:··················Configuration·option·to·change | 44 | #·key:··················Configuration·option·to·change |
| Offset 112, 17 lines modified | Offset 92, 17 lines modified | ||
| 112 | ··done | 92 | ··done |
| 113 | } | 93 | } |
| 114 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false" | 94 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false" |
| 115 | #·END·fix·for·'firefox_preferences-cookies_user_notice' | 95 | #·END·fix·for·'firefox_preferences-cookies_user_notice' |
| 116 | ############################################################################### | 96 | ############################################################################### |
| 117 | #·BEGIN·fix·( | 97 | #·BEGIN·fix·(2·/·28)·for·'firefox_preferences-cookies_clear' |
| 118 | ############################################################################### | 98 | ############################################################################### |
| 119 | (>&2·echo·"Remediating·rule· | 99 | (>&2·echo·"Remediating·rule·2/28:·'firefox_preferences-cookies_clear'") |
| 120 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the | 100 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the |
| 121 | #·preference·if·it·does·not·exist. | 101 | #·preference·if·it·does·not·exist. |
| 122 | # | 102 | # |
| 123 | #·Expects·three·arguments: | 103 | #·Expects·three·arguments: |
| 124 | # | 104 | # |
| 125 | #·config_file:··········Configuration·file·that·will·be·modified | 105 | #·config_file:··········Configuration·file·that·will·be·modified |
| 126 | #·key:··················Configuration·option·to·change | 106 | #·key:··················Configuration·option·to·change |
| Offset 175, 17 lines modified | Offset 155, 17 lines modified | ||
| 175 | ··done | 155 | ··done |
| 176 | } | 156 | } |
| 177 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true" | 157 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true" |
| 178 | #·END·fix·for·'firefox_preferences-cookies_clear' | 158 | #·END·fix·for·'firefox_preferences-cookies_clear' |
| 179 | ############################################################################### | 159 | ############################################################################### |
| 180 | #·BEGIN·fix·( | 160 | #·BEGIN·fix·(3·/·28)·for·'firefox_preferences-lock_settings_obscure' |
| 181 | ############################################################################### | 161 | ############################################################################### |
| 182 | (>&2·echo·"Remediating·rule· | 162 | (>&2·echo·"Remediating·rule·3/28:·'firefox_preferences-lock_settings_obscure'") |
| 183 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the | 163 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the |
| 184 | #·preference·if·it·does·not·exist. | 164 | #·preference·if·it·does·not·exist. |
| 185 | # | 165 | # |
| 186 | #·Expects·three·arguments: | 166 | #·Expects·three·arguments: |
| 187 | # | 167 | # |
| 188 | #·config_file:··········Configuration·file·that·will·be·modified | 168 | #·config_file:··········Configuration·file·that·will·be·modified |
| 189 | #·key:··················Configuration·option·to·change | 169 | #·key:··················Configuration·option·to·change |
| Offset 251, 17 lines modified | Offset 231, 17 lines modified | ||
| 251 | } | 231 | } |
| 252 | firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" | 232 | firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" |
| 253 | #·END·fix·for·'firefox_preferences-lock_settings_obscure' | 233 | #·END·fix·for·'firefox_preferences-lock_settings_obscure' |
| 254 | ############################################################################### | 234 | ############################################################################### |
| 255 | #·BEGIN·fix·( | 235 | #·BEGIN·fix·(4·/·28)·for·'firefox_preferences-lock_settings_config_file' |
| 256 | ############################################################################### | 236 | ############################################################################### |
| 257 | (>&2·echo·"Remediating·rule· | 237 | (>&2·echo·"Remediating·rule·4/28:·'firefox_preferences-lock_settings_config_file'") |
| 258 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the | 238 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the |
| 259 | #·preference·if·it·does·not·exist. | 239 | #·preference·if·it·does·not·exist. |
| 260 | # | 240 | # |
| 261 | #·Expects·three·arguments: | 241 | #·Expects·three·arguments: |
| 262 | # | 242 | # |
| 263 | #·config_file:··········Configuration·file·that·will·be·modified | 243 | #·config_file:··········Configuration·file·that·will·be·modified |
| 264 | #·key:··················Configuration·option·to·change | 244 | #·key:··················Configuration·option·to·change |
| Offset 327, 14 lines modified | Offset 307, 34 lines modified | ||
| 327 | } | 307 | } |
| 328 | firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"stig.cfg\"" | 308 | firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"stig.cfg\"" |
| 329 | #·END·fix·for·'firefox_preferences-lock_settings_config_file' | 309 | #·END·fix·for·'firefox_preferences-lock_settings_config_file' |
| 330 | ############################################################################### | 310 | ############################################################################### |
| 311 | #·BEGIN·fix·(5·/·28)·for·'firefox_preferences-dod_root_certificate_installed' | ||
| 312 | ############################################################################### | ||
| 313 | (>&2·echo·"Remediating·rule·5/28:·'firefox_preferences-dod_root_certificate_installed'") | ||
| 314 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 315 | #·END·fix·for·'firefox_preferences-dod_root_certificate_installed' | ||
| 316 | ############################################################################### | ||
| 317 | #·BEGIN·fix·(6·/·28)·for·'firefox_preferences-enable_ca_trust' | ||
| 318 | ############################################################################### | ||
| 319 | (>&2·echo·"Remediating·rule·6/28:·'firefox_preferences-enable_ca_trust'") | ||
| 320 | P11=$(readlink·/etc/alternatives/libnssckbi.so*) | ||
| 321 | P11LIB="/usr/lib/pkcs11/p11-kit-trust.so" | ||
| 322 | P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so" | ||
| 323 | if·!·[[·${P11}·==·"${P11LIB64}"·]]·||·!·[[·${P11}·==·"${P11LIB}"·]]·;·then | ||
| 324 | ···/usr/bin/update-ca-trust·enable | ||
| 325 | fi | ||
| 326 | #·END·fix·for·'firefox_preferences-enable_ca_trust' | ||
| 327 | ############################################################################### | ||
| 331 | #·BEGIN·fix·(7·/·28)·for·'firefox_preferences-ssl_protocol_tls' | 328 | #·BEGIN·fix·(7·/·28)·for·'firefox_preferences-ssl_protocol_tls' |
| 332 | ############################################################################### | 329 | ############################################################################### |
| 333 | (>&2·echo·"Remediating·rule·7/28:·'firefox_preferences-ssl_protocol_tls'") | 330 | (>&2·echo·"Remediating·rule·7/28:·'firefox_preferences-ssl_protocol_tls'") |
| 334 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the | 331 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the |
| 335 | #·preference·if·it·does·not·exist. | 332 | #·preference·if·it·does·not·exist. |
| 336 | # | 333 | # |
| 337 | #·Expects·three·arguments: | 334 | #·Expects·three·arguments: |
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:22</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title> | 12 | ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:product>Google·Chromium·Browser</ns0:product> | 14 | ··········<ns0:product>Google·Chromium·Browser</ns0:product> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-oval.xml"·timestamp="202 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-oval.xml"·timestamp="2020-04-28T11:48:09"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>202 | 31 | ········<ns2:timestamp>2020-04-27T21:33:22</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1"> | 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Blacklist·Extension·Installation</ns0:title> | 36 | ············<ns0:title>Blacklist·Extension·Installation</ns0:title> |
| 37 | ············<ns0:affected·family="unix"> | 37 | ············<ns0:affected·family="unix"> |
| 38 | ··············<ns0:platform>Google·Chromium·Browser</ns0:platform> | 38 | ··············<ns0:platform>Google·Chromium·Browser</ns0:platform> |
| Offset 896, 15 lines modified | Offset 896, 15 lines modified | ||
| 896 | ········<ns0:external_variable·comment="Expected·search·provider·name"·datatype="string"·id="oval:ssg-var_enable_encrypted_searching:var:1"·version="1"/> | 896 | ········<ns0:external_variable·comment="Expected·search·provider·name"·datatype="string"·id="oval:ssg-var_enable_encrypted_searching:var:1"·version="1"/> |
| 897 | ········<ns0:external_variable·comment="Expected·approved·extensions"·datatype="string"·id="oval:ssg-var_extension_whitelist:var:1"·version="1"/> | 897 | ········<ns0:external_variable·comment="Expected·approved·extensions"·datatype="string"·id="oval:ssg-var_extension_whitelist:var:1"·version="1"/> |
| 898 | ········<ns0:external_variable·comment="Expected·HTTP·authentication·type"·datatype="string"·id="oval:ssg-var_auth_schema:var:1"·version="1"/> | 898 | ········<ns0:external_variable·comment="Expected·HTTP·authentication·type"·datatype="string"·id="oval:ssg-var_auth_schema:var:1"·version="1"/> |
| 899 | ········<ns0:external_variable·comment="Expected·home·page"·datatype="string"·id="oval:ssg-var_trusted_home_page:var:1"·version="1"/> | 899 | ········<ns0:external_variable·comment="Expected·home·page"·datatype="string"·id="oval:ssg-var_trusted_home_page:var:1"·version="1"/> |
| 900 | ······</ns0:variables> | 900 | ······</ns0:variables> |
| 901 | ····</ns0:oval_definitions> | 901 | ····</ns0:oval_definitions> |
| 902 | ··</ds:component> | 902 | ··</ds:component> |
| 903 | ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-ocil.xml"·timestamp="202 | 903 | ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-ocil.xml"·timestamp="2020-04-28T11:48:09"> |
| 904 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 904 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 905 | ······<ns0:generator> | 905 | ······<ns0:generator> |
| 906 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 906 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 907 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 907 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 908 | ········<ns0:schema_version>2.0</ns0:schema_version> | 908 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 909 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 909 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 910 | ······</ns0:generator> | 910 | ······</ns0:generator> |
| Offset 1025, 18 lines modified | Offset 1025, 18 lines modified | ||
| 1025 | ········</ns0:questionnaire> | 1025 | ········</ns0:questionnaire> |
| 1026 | ········<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1"> | 1026 | ········<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1"> |
| 1027 | ··········<ns0:title>Block·Plugins·by·Default</ns0:title> | 1027 | ··········<ns0:title>Block·Plugins·by·Default</ns0:title> |
| 1028 | ··········<ns0:actions> | 1028 | ··········<ns0:actions> |
| 1029 | ············<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref> | 1029 | ············<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref> |
| 1030 | ··········</ns0:actions> | 1030 | ··········</ns0:actions> |
| 1031 | ········</ns0:questionnaire> | 1031 | ········</ns0:questionnaire> |
| 1032 | ········<ns0:questionnaire·id="ocil:ssg-chromium_ | 1032 | ········<ns0:questionnaire·id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1"> |
| 1033 | ··········<ns0:title> | 1033 | ··········<ns0:title>Require·Outdated·Plugins·to·be·Authorized</ns0:title> |
| 1034 | ··········<ns0:actions> | 1034 | ··········<ns0:actions> |
| 1035 | ············<ns0:test_action_ref>ocil:ssg-chromium_ | 1035 | ············<ns0:test_action_ref>ocil:ssg-chromium_plugins_require_authorization_action:testaction:1</ns0:test_action_ref> |
| 1036 | ··········</ns0:actions> | 1036 | ··········</ns0:actions> |
| 1037 | ········</ns0:questionnaire> | 1037 | ········</ns0:questionnaire> |
| 1038 | ········<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1"> | 1038 | ········<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1"> |
| 1039 | ··········<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title> | 1039 | ··········<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title> |
| 1040 | ··········<ns0:actions> | 1040 | ··········<ns0:actions> |
| 1041 | ············<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref> | 1041 | ············<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref> |
| 1042 | ··········</ns0:actions> | 1042 | ··········</ns0:actions> |
| Offset 1121, 18 lines modified | Offset 1121, 18 lines modified | ||
| 1121 | ········</ns0:questionnaire> | 1121 | ········</ns0:questionnaire> |
| 1122 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1"> | 1122 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1"> |
| 1123 | ··········<ns0:title>Disable·Cloud·Print·Sharing</ns0:title> | 1123 | ··········<ns0:title>Disable·Cloud·Print·Sharing</ns0:title> |
| 1124 | ··········<ns0:actions> | 1124 | ··········<ns0:actions> |
| 1125 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref> | 1125 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref> |
| 1126 | ··········</ns0:actions> | 1126 | ··········</ns0:actions> |
| 1127 | ········</ns0:questionnaire> | 1127 | ········</ns0:questionnaire> |
| 1128 | ········<ns0:questionnaire·id="ocil:ssg-chromium_ | 1128 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_cleartext_passwords_ocil:questionnaire:1"> |
| 1129 | ··········<ns0:title> | 1129 | ··········<ns0:title>Disable·Use·of·Cleartext·Passwords</ns0:title> |
| 1130 | ··········<ns0:actions> | 1130 | ··········<ns0:actions> |
| 1131 | ············<ns0:test_action_ref>ocil:ssg-chromium_ | 1131 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1</ns0:test_action_ref> |
| 1132 | ··········</ns0:actions> | 1132 | ··········</ns0:actions> |
| 1133 | ········</ns0:questionnaire> | 1133 | ········</ns0:questionnaire> |
| 1134 | ······</ns0:questionnaires> | 1134 | ······</ns0:questionnaires> |
| 1135 | ······<ns0:test_actions> | 1135 | ······<ns0:test_actions> |
| 1136 | ········<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1"> | 1136 | ········<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1"> |
| 1137 | ··········<ns0:when_true> | 1137 | ··········<ns0:when_true> |
| 1138 | ············<ns0:result>PASS</ns0:result> | 1138 | ············<ns0:result>PASS</ns0:result> |
| Offset 1289, 15 lines modified | Offset 1289, 15 lines modified | ||
| 1289 | ··········<ns0:when_true> | 1289 | ··········<ns0:when_true> |
| 1290 | ············<ns0:result>PASS</ns0:result> | 1290 | ············<ns0:result>PASS</ns0:result> |
| 1291 | ··········</ns0:when_true> | 1291 | ··········</ns0:when_true> |
| 1292 | ··········<ns0:when_false> | 1292 | ··········<ns0:when_false> |
| 1293 | ············<ns0:result>FAIL</ns0:result> | 1293 | ············<ns0:result>FAIL</ns0:result> |
| 1294 | ··········</ns0:when_false> | 1294 | ··········</ns0:when_false> |
| 1295 | ········</ns0:boolean_question_test_action> | 1295 | ········</ns0:boolean_question_test_action> |
| 1296 | ········<ns0:boolean_question_test_action·id="ocil:ssg-chromium_ | 1296 | ········<ns0:boolean_question_test_action·id="ocil:ssg-chromium_plugins_require_authorization_action:testaction:1"·question_ref="ocil:ssg-chromium_plugins_require_authorization_question:question:1"> |
| 1297 | ··········<ns0:when_true> | 1297 | ··········<ns0:when_true> |
| 1298 | ············<ns0:result>PASS</ns0:result> | 1298 | ············<ns0:result>PASS</ns0:result> |
| 1299 | ··········</ns0:when_true> | 1299 | ··········</ns0:when_true> |
| 1300 | ··········<ns0:when_false> | 1300 | ··········<ns0:when_false> |
| 1301 | ············<ns0:result>FAIL</ns0:result> | 1301 | ············<ns0:result>FAIL</ns0:result> |
| 1302 | ··········</ns0:when_false> | 1302 | ··········</ns0:when_false> |
| 1303 | ········</ns0:boolean_question_test_action> | 1303 | ········</ns0:boolean_question_test_action> |
| Offset 1417, 15 lines modified | Offset 1417, 15 lines modified | ||
| 1417 | ··········<ns0:when_true> | 1417 | ··········<ns0:when_true> |
| 1418 | ············<ns0:result>PASS</ns0:result> | 1418 | ············<ns0:result>PASS</ns0:result> |
| 1419 | ··········</ns0:when_true> | 1419 | ··········</ns0:when_true> |
| 1420 | ··········<ns0:when_false> | 1420 | ··········<ns0:when_false> |
| 1421 | ············<ns0:result>FAIL</ns0:result> | 1421 | ············<ns0:result>FAIL</ns0:result> |
| 1422 | ··········</ns0:when_false> | 1422 | ··········</ns0:when_false> |
| 1423 | ········</ns0:boolean_question_test_action> | 1423 | ········</ns0:boolean_question_test_action> |
| 1424 | ········<ns0:boolean_question_test_action·id="ocil:ssg-chromium_ | 1424 | ········<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_cleartext_passwords_question:question:1"> |
| 1425 | ··········<ns0:when_true> | 1425 | ··········<ns0:when_true> |
| 1426 | ············<ns0:result>PASS</ns0:result> | 1426 | ············<ns0:result>PASS</ns0:result> |
| 1427 | ··········</ns0:when_true> | 1427 | ··········</ns0:when_true> |
| 1428 | ··········<ns0:when_false> | 1428 | ··········<ns0:when_false> |
| 1429 | ············<ns0:result>FAIL</ns0:result> | 1429 | ············<ns0:result>FAIL</ns0:result> |
| 1430 | ··········</ns0:when_false> | 1430 | ··········</ns0:when_false> |
| 1431 | ········</ns0:boolean_question_test_action> | 1431 | ········</ns0:boolean_question_test_action> |
| Offset 1571, 20 lines modified | Offset 1571, 20 lines modified | ||
| 1571 | ········<ns0:boolean_question·id="ocil:ssg-chromium_default_block_plugins_question:question:1"> | 1571 | ········<ns0:boolean_question·id="ocil:ssg-chromium_default_block_plugins_question:question:1"> |
| 1572 | ··········<ns0:question_text>To·verify·that·plugins·cannot·run·automatically,·run·the·following·command: | 1572 | ··········<ns0:question_text>To·verify·that·plugins·cannot·run·automatically,·run·the·following·command: |
| 1573 | $·grep·DefaultPluginsSetting·/etc/chromium/policies/managed/*.json | 1573 | $·grep·DefaultPluginsSetting·/etc/chromium/policies/managed/*.json |
| 1574 | The·output·should·contain: | 1574 | The·output·should·contain: |
| 1575 | "DefaultPluginsSetting":·3, | 1575 | "DefaultPluginsSetting":·3, |
| 1576 | » » » Is·it·the·case·that·it·is·not·set·correctly?</ns0:question_text> | 1576 | » » » Is·it·the·case·that·it·is·not·set·correctly?</ns0:question_text> |
| 1577 | ········</ns0:boolean_question> | 1577 | ········</ns0:boolean_question> |
| 1578 | ········<ns0:boolean_question·id="ocil:ssg-chromium_ | 1578 | ········<ns0:boolean_question·id="ocil:ssg-chromium_plugins_require_authorization_question:question:1"> |
| 1579 | ··········<ns0:question_text>To·verify·that· | 1579 | ··········<ns0:question_text>To·verify·that·plugins·require·authorization·to·run,·run·the·following·command: |
| 1580 | $·grep· | 1580 | $·grep·AlwaysAuthorizePlugins·/etc/chromium/policies/managed/*.json |
| 1581 | The·output·should·contain: | 1581 | The·output·should·contain: |
| 1582 | " | 1582 | "AlwaysAuthorizePlugins":·false, |
| 1583 | » » » Is·it·the·case·that· | 1583 | » » » Is·it·the·case·that·it·is·not·set?</ns0:question_text> |
| 1584 | ········</ns0:boolean_question> | 1584 | ········</ns0:boolean_question> |
| 1585 | ········<ns0:boolean_question·id="ocil:ssg-chromium_enable_safe_browsing_question:question:1"> | 1585 | ········<ns0:boolean_question·id="ocil:ssg-chromium_enable_safe_browsing_question:question:1"> |
| 1586 | ··········<ns0:question_text>To·verify·that·the·safe·browsing·feature·is·enabled,·run·the·following·command: | 1586 | ··········<ns0:question_text>To·verify·that·the·safe·browsing·feature·is·enabled,·run·the·following·command: |
| 1587 | $·grep·SafeBrowsingEnabled·/etc/chromium/policies/managed/*.json | 1587 | $·grep·SafeBrowsingEnabled·/etc/chromium/policies/managed/*.json |
| 1588 | The·output·should·contain: | 1588 | The·output·should·contain: |
| 1589 | "SafeBrowsingEnabled":·true, | 1589 | "SafeBrowsingEnabled":·true, |
| Max diff block lines reached; 83994/93920 bytes (89.43%) of diff not shown. | |||
| Offset 123, 18 lines modified | Offset 123, 18 lines modified | ||
| 123 | ····</ns0:questionnaire> | 123 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1"> | 124 | ····<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1"> |
| 125 | ······<ns0:title>Block·Plugins·by·Default</ns0:title> | 125 | ······<ns0:title>Block·Plugins·by·Default</ns0:title> |
| 126 | ······<ns0:actions> | 126 | ······<ns0:actions> |
| 127 | ········<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref> | 127 | ········<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref> |
| 128 | ······</ns0:actions> | 128 | ······</ns0:actions> |
| 129 | ····</ns0:questionnaire> | 129 | ····</ns0:questionnaire> |
| 130 | ····<ns0:questionnaire·id="ocil:ssg-chromium_ | 130 | ····<ns0:questionnaire·id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1"> |
| 131 | ······<ns0:title> | 131 | ······<ns0:title>Require·Outdated·Plugins·to·be·Authorized</ns0:title> |
| 132 | ······<ns0:actions> | 132 | ······<ns0:actions> |
| 133 | ········<ns0:test_action_ref>ocil:ssg-chromium_ | 133 | ········<ns0:test_action_ref>ocil:ssg-chromium_plugins_require_authorization_action:testaction:1</ns0:test_action_ref> |
| 134 | ······</ns0:actions> | 134 | ······</ns0:actions> |
| 135 | ····</ns0:questionnaire> | 135 | ····</ns0:questionnaire> |
| 136 | ····<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1"> | 136 | ····<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1"> |
| 137 | ······<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title> | 137 | ······<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title> |
| 138 | ······<ns0:actions> | 138 | ······<ns0:actions> |
| 139 | ········<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref> | 139 | ········<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref> |
| 140 | ······</ns0:actions> | 140 | ······</ns0:actions> |
| Offset 219, 18 lines modified | Offset 219, 18 lines modified | ||
| 219 | ····</ns0:questionnaire> | 219 | ····</ns0:questionnaire> |
| 220 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1"> | 220 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1"> |
| 221 | ······<ns0:title>Disable·Cloud·Print·Sharing</ns0:title> | 221 | ······<ns0:title>Disable·Cloud·Print·Sharing</ns0:title> |
| 222 | ······<ns0:actions> | 222 | ······<ns0:actions> |
| 223 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref> | 223 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref> |
| 224 | ······</ns0:actions> | 224 | ······</ns0:actions> |
| 225 | ····</ns0:questionnaire> | 225 | ····</ns0:questionnaire> |
| 226 | ····<ns0:questionnaire·id="ocil:ssg-chromium_ | 226 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_cleartext_passwords_ocil:questionnaire:1"> |
| 227 | ······<ns0:title> | 227 | ······<ns0:title>Disable·Use·of·Cleartext·Passwords</ns0:title> |
| 228 | ······<ns0:actions> | 228 | ······<ns0:actions> |
| 229 | ········<ns0:test_action_ref>ocil:ssg-chromium_ | 229 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1</ns0:test_action_ref> |
| 230 | ······</ns0:actions> | 230 | ······</ns0:actions> |
| 231 | ····</ns0:questionnaire> | 231 | ····</ns0:questionnaire> |
| 232 | ··</ns0:questionnaires> | 232 | ··</ns0:questionnaires> |
| 233 | ··<ns0:test_actions> | 233 | ··<ns0:test_actions> |
| 234 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1"> | 234 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1"> |
| 235 | ······<ns0:when_true> | 235 | ······<ns0:when_true> |
| 236 | ········<ns0:result>PASS</ns0:result> | 236 | ········<ns0:result>PASS</ns0:result> |
| Offset 387, 15 lines modified | Offset 387, 15 lines modified | ||
| 387 | ······<ns0:when_true> | 387 | ······<ns0:when_true> |
| 388 | ········<ns0:result>PASS</ns0:result> | 388 | ········<ns0:result>PASS</ns0:result> |
| 389 | ······</ns0:when_true> | 389 | ······</ns0:when_true> |
| 390 | ······<ns0:when_false> | 390 | ······<ns0:when_false> |
| 391 | ········<ns0:result>FAIL</ns0:result> | 391 | ········<ns0:result>FAIL</ns0:result> |
| 392 | ······</ns0:when_false> | 392 | ······</ns0:when_false> |
| 393 | ····</ns0:boolean_question_test_action> | 393 | ····</ns0:boolean_question_test_action> |
| 394 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_ | 394 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_plugins_require_authorization_action:testaction:1"·question_ref="ocil:ssg-chromium_plugins_require_authorization_question:question:1"> |
| 395 | ······<ns0:when_true> | 395 | ······<ns0:when_true> |
| 396 | ········<ns0:result>PASS</ns0:result> | 396 | ········<ns0:result>PASS</ns0:result> |
| 397 | ······</ns0:when_true> | 397 | ······</ns0:when_true> |
| 398 | ······<ns0:when_false> | 398 | ······<ns0:when_false> |
| 399 | ········<ns0:result>FAIL</ns0:result> | 399 | ········<ns0:result>FAIL</ns0:result> |
| 400 | ······</ns0:when_false> | 400 | ······</ns0:when_false> |
| 401 | ····</ns0:boolean_question_test_action> | 401 | ····</ns0:boolean_question_test_action> |
| Offset 515, 15 lines modified | Offset 515, 15 lines modified | ||
| 515 | ······<ns0:when_true> | 515 | ······<ns0:when_true> |
| 516 | ········<ns0:result>PASS</ns0:result> | 516 | ········<ns0:result>PASS</ns0:result> |
| 517 | ······</ns0:when_true> | 517 | ······</ns0:when_true> |
| 518 | ······<ns0:when_false> | 518 | ······<ns0:when_false> |
| 519 | ········<ns0:result>FAIL</ns0:result> | 519 | ········<ns0:result>FAIL</ns0:result> |
| 520 | ······</ns0:when_false> | 520 | ······</ns0:when_false> |
| 521 | ····</ns0:boolean_question_test_action> | 521 | ····</ns0:boolean_question_test_action> |
| 522 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_ | 522 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_cleartext_passwords_question:question:1"> |
| 523 | ······<ns0:when_true> | 523 | ······<ns0:when_true> |
| 524 | ········<ns0:result>PASS</ns0:result> | 524 | ········<ns0:result>PASS</ns0:result> |
| 525 | ······</ns0:when_true> | 525 | ······</ns0:when_true> |
| 526 | ······<ns0:when_false> | 526 | ······<ns0:when_false> |
| 527 | ········<ns0:result>FAIL</ns0:result> | 527 | ········<ns0:result>FAIL</ns0:result> |
| 528 | ······</ns0:when_false> | 528 | ······</ns0:when_false> |
| 529 | ····</ns0:boolean_question_test_action> | 529 | ····</ns0:boolean_question_test_action> |
| Offset 669, 20 lines modified | Offset 669, 20 lines modified | ||
| 669 | ····<ns0:boolean_question·id="ocil:ssg-chromium_default_block_plugins_question:question:1"> | 669 | ····<ns0:boolean_question·id="ocil:ssg-chromium_default_block_plugins_question:question:1"> |
| 670 | ······<ns0:question_text>To·verify·that·plugins·cannot·run·automatically,·run·the·following·command: | 670 | ······<ns0:question_text>To·verify·that·plugins·cannot·run·automatically,·run·the·following·command: |
| 671 | $·grep·DefaultPluginsSetting·/etc/chromium/policies/managed/*.json | 671 | $·grep·DefaultPluginsSetting·/etc/chromium/policies/managed/*.json |
| 672 | The·output·should·contain: | 672 | The·output·should·contain: |
| 673 | "DefaultPluginsSetting":·3, | 673 | "DefaultPluginsSetting":·3, |
| 674 | » » » Is·it·the·case·that·it·is·not·set·correctly?</ns0:question_text> | 674 | » » » Is·it·the·case·that·it·is·not·set·correctly?</ns0:question_text> |
| 675 | ····</ns0:boolean_question> | 675 | ····</ns0:boolean_question> |
| 676 | ····<ns0:boolean_question·id="ocil:ssg-chromium_ | 676 | ····<ns0:boolean_question·id="ocil:ssg-chromium_plugins_require_authorization_question:question:1"> |
| 677 | ······<ns0:question_text>To·verify·that· | 677 | ······<ns0:question_text>To·verify·that·plugins·require·authorization·to·run,·run·the·following·command: |
| 678 | $·grep· | 678 | $·grep·AlwaysAuthorizePlugins·/etc/chromium/policies/managed/*.json |
| 679 | The·output·should·contain: | 679 | The·output·should·contain: |
| 680 | " | 680 | "AlwaysAuthorizePlugins":·false, |
| 681 | » » » Is·it·the·case·that· | 681 | » » » Is·it·the·case·that·it·is·not·set?</ns0:question_text> |
| 682 | ····</ns0:boolean_question> | 682 | ····</ns0:boolean_question> |
| 683 | ····<ns0:boolean_question·id="ocil:ssg-chromium_enable_safe_browsing_question:question:1"> | 683 | ····<ns0:boolean_question·id="ocil:ssg-chromium_enable_safe_browsing_question:question:1"> |
| 684 | ······<ns0:question_text>To·verify·that·the·safe·browsing·feature·is·enabled,·run·the·following·command: | 684 | ······<ns0:question_text>To·verify·that·the·safe·browsing·feature·is·enabled,·run·the·following·command: |
| 685 | $·grep·SafeBrowsingEnabled·/etc/chromium/policies/managed/*.json | 685 | $·grep·SafeBrowsingEnabled·/etc/chromium/policies/managed/*.json |
| 686 | The·output·should·contain: | 686 | The·output·should·contain: |
| 687 | "SafeBrowsingEnabled":·true, | 687 | "SafeBrowsingEnabled":·true, |
| 688 | » » » Is·it·the·case·that·it·is·not·enabled?</ns0:question_text> | 688 | » » » Is·it·the·case·that·it·is·not·enabled?</ns0:question_text> |
| Offset 782, 16 lines modified | Offset 782, 16 lines modified | ||
| 782 | ····<ns0:boolean_question·id="ocil:ssg-chromium_disable_cloud_print_sharing_question:question:1"> | 782 | ····<ns0:boolean_question·id="ocil:ssg-chromium_disable_cloud_print_sharing_question:question:1"> |
| 783 | ······<ns0:question_text>To·verify·that·the·Cloud·Print·Sharing·feature·is·disabled,·run·the·following·command: | 783 | ······<ns0:question_text>To·verify·that·the·Cloud·Print·Sharing·feature·is·disabled,·run·the·following·command: |
| 784 | $·grep·CloudPrintProxyEnabled·/etc/chromium/policies/managed/*.json | 784 | $·grep·CloudPrintProxyEnabled·/etc/chromium/policies/managed/*.json |
| 785 | The·output·should·contain: | 785 | The·output·should·contain: |
| 786 | "CloudPrintProxyEnabled":·false, | 786 | "CloudPrintProxyEnabled":·false, |
| 787 | » » » Is·it·the·case·that·it·is·not·disabled?</ns0:question_text> | 787 | » » » Is·it·the·case·that·it·is·not·disabled?</ns0:question_text> |
| 788 | ····</ns0:boolean_question> | 788 | ····</ns0:boolean_question> |
| 789 | ····<ns0:boolean_question·id="ocil:ssg-chromium_ | 789 | ····<ns0:boolean_question·id="ocil:ssg-chromium_disable_cleartext_passwords_question:question:1"> |
| 790 | ······<ns0:question_text>To·verify·that· | 790 | ······<ns0:question_text>To·verify·that·the·use·of·cleartext·passwords·is·disabled,·run·the·following·command: |
| 791 | $·grep· | 791 | $·grep·PasswordManagerAllowShowPasswords·/etc/chromium/policies/managed/*.json |
| 792 | The·output·should·contain: | 792 | The·output·should·contain: |
| 793 | " | 793 | "PasswordManagerAllowShowPasswords":·false, |
| 794 | » » » Is·it·the·case·that· | 794 | » » » Is·it·the·case·that·use·of·cleartext·passwords·are·not·disabled?</ns0:question_text> |
| 795 | ····</ns0:boolean_question> | 795 | ····</ns0:boolean_question> |
| 796 | ··</ns0:questions> | 796 | ··</ns0:questions> |
| 797 | </ns0:ocil> | 797 | </ns0:ocil> |
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:22</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Blacklist·Extension·Installation</ns0:title> | 12 | ········<ns0:title>Blacklist·Extension·Installation</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Google·Chromium·Browser</ns0:platform> | 14 | ··········<ns0:platform>Google·Chromium·Browser</ns0:platform> |
| Offset 222, 467 lines modified | Offset 222, 145 lines modified | ||
| 222 | ····<refine-value·idref="var_extension_whitelist"·selector="none"/> | 222 | ····<refine-value·idref="var_extension_whitelist"·selector="none"/> |
| 223 | ····<refine-value·idref="var_auth_schema"·selector="negotiate"/> | 223 | ····<refine-value·idref="var_auth_schema"·selector="negotiate"/> |
| 224 | ····<refine-value·idref="var_trusted_home_page"·selector="blank"/> | 224 | ····<refine-value·idref="var_trusted_home_page"·selector="blank"/> |
| 225 | ··</Profile> | 225 | ··</Profile> |
| 226 | ··<Group·id="remediation_functions"> | 226 | ··<Group·id="remediation_functions"> |
| 227 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> | 227 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> |
| 228 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> | 228 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> |
| 229 | ····<Value·hidden="true"·id="function_fi | 229 | ····<Value·hidden="true"·id="function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> |
| 230 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fi | 230 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_watch_rule</title> |
| 231 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | ||
| 232 | ······<value>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the | ||
| 233 | #·preference·if·it·does·not·exist. | ||
| 234 | # | ||
| 235 | #·Expects·three·arguments: | ||
| 236 | # | ||
| 237 | #·config_file:··········Configuration·file·that·will·be·modified | ||
| 238 | #·key:··················Configuration·option·to·change | ||
| 239 | #·value:················Value·of·the·configuration·option·to·change | ||
| 240 | # | ||
| 241 | # | ||
| 242 | #·Example·Call(s): | ||
| 243 | # | ||
| 244 | #·····Without·string·or·variable: | ||
| 245 | #·····firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" | ||
| 246 | # | ||
| 247 | #·····With·string: | ||
| 248 | #·····firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"stig.cfg\"" | ||
| 249 | # | ||
| 250 | #·····With·a·string·variable: | ||
| 251 | #·····firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"$var_config_file_name\"" | ||
| 252 | # | ||
| 253 | function·firefox_js_setting·{ | ||
| 254 | ··local·firefox_js=$1 | ||
| 255 | ··local·key=$2 | ||
| 256 | ··local·value=$3 | ||
| 257 | ··local·firefox_dirs="/usr/lib/firefox·/usr/lib64/firefox·/usr/local/lib/firefox·/usr/local/lib64/firefox" | ||
| 258 | ··local·firefox_pref="/defaults/pref" | ||
| 259 | ··local·firefox_preferences="/defaults/preferences" | ||
| 260 | ··#·Check·sanity·of·input | ||
| 261 | ··if·[·$#·-lt·"3"·] | ||
| 262 | ··then | ||
| 263 | ········echo·"Usage:·firefox_js_setting·'config_javascript_file'·'key_to_search'·'new_value'" | ||
| 264 | ········echo | ||
| 265 | ········echo·"Aborting." | ||
| 266 | ········exit·1 | ||
| 267 | ··fi | ||
| 268 | ··#·Check·the·possible·Firefox·install·directories | ||
| 269 | ··for·firefox_dir·in·${firefox_dirs};·do | ||
| 270 | ····#·If·the·Firefox·directory·exists,·then·Firefox·is·installed | ||
| 271 | ····if·[·-d·"${firefox_dir}"·];·then | ||
| 272 | ······#·Different·versions·of·Firefox·have·different·preferences·directories,·check·for·them·and·set·the·right·one | ||
| 273 | ······if·[·-d·"${firefox_dir}/${firefox_pref}"·]·;·then | ||
| 274 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_pref}" | ||
| 275 | ······elif·[·-d·"${firefox_dir}/${firefox_preferences}"·]·;·then | ||
| 276 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | ||
| 277 | ······else | ||
| 278 | ········mkdir·-m·755·-p·"${firefox_dir}/${firefox_preferences}" | ||
| 279 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | ||
| 280 | ······fi | ||
| 281 | ······#·Make·sure·the·Firefox·.js·file·exists·and·has·the·appropriate·permissions | ||
| 282 | ······if·!·[·-f·"${firefox_pref_dir}/${firefox_js}"·]·;·then | ||
| 283 | ········touch·"${firefox_pref_dir}/${firefox_js}" | ||
| 284 | ········chmod·644·"${firefox_pref_dir}/${firefox_js}" | ||
| 285 | ······fi | ||
| 286 | ······#·If·the·key·exists,·change·it.·Otherwise,·add·it·to·the·config_file. | ||
| 287 | ······if·`grep·-q·"^pref(\"${key}\",·"·"${firefox_pref_dir}/${firefox_js}"`·;·then | ||
| 288 | ········sed·-i·"s/pref(\"${key}\".*/pref(\"${key}\",·${value});/g"·"${firefox_pref_dir}/${firefox_js}" | ||
| 289 | ······else | ||
| 290 | ········echo·"pref(\"${key}\",·${value});"·>>·"${firefox_pref_dir}/${firefox_js}" | ||
| 291 | ······fi | ||
| 292 | ····fi | ||
| 293 | ··done | ||
| 294 | }</value> | ||
| 295 | ····</Value> | ||
| 296 | ····<Value·hidden="true"·id="function_fix_audit_syscall_rule"·operator="equals"·prohibitChanges="true"·type="string"> | ||
| 297 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_syscall_rule</title> | ||
| 298 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | 231 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> |
| 299 | ······<value>#·Function·to·fix·sys | 232 | ······<value>#·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: |
| 300 | #· | 233 | #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements |
| 301 | #· | 234 | #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect |
| 302 | #· | 235 | #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules |
| 303 | #·syscall·group·into·one·audit·rule·(rather·than·to·create·audit·rule·per | ||
| 304 | #·different·system·call)·to·avoid·audit·infrastructure·performance·penalty | ||
| 305 | #·in·the·case·of·'one-audit-rule-definition-per-one-system-call'.·See: | ||
| 306 | # | ||
| 307 | #···https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html | ||
| 308 | # | ||
| 309 | #·for·further·details. | ||
| 310 | # | 236 | # |
| 311 | #·Expects·f | 237 | #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: |
| 312 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, | 238 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, |
| 313 | #·» » » » » either·'auditctl',·or·'augenrules | 239 | #·» » » » » either·'auditctl',·or·'augenrules' |
| 314 | #·*·a | 240 | #·*·path························» value·of·-w·audit·rule's·argument |
| 315 | #·*· | 241 | #·*·required·access·bits········» value·of·-p·audit·rule's·argument |
| 316 | #· | 242 | #·*·key·························» value·of·-k·audit·rule's·argument |
| 317 | #·*·architecture» » » architecture·this·rule·is·intended·for | ||
| 318 | #·*·full·form·of·new·rule·to·add» expected·full·form·of·audit·rule·as·to·be | ||
| 319 | #·» » » » » added·into·audit.rules·file | ||
| 320 | # | ||
| 321 | #·Note:·The·2-th·up·to·4-th·arguments·are·used·to·determine·how·many·existing | ||
| 322 | #·audit·rules·will·be·inspected·for·resemblance·with·the·new·audit·rule | ||
| 323 | #·(5-th·argument)·the·function·is·going·to·add.·The·rule's·similarity·check | ||
| 324 | #·is·performed·to·optimize·audit.rules·definition·(merge·syscalls·of·the·same | ||
| 325 | #·group·into·one·rule)·to·avoid·the·"single-syscall-per-audit-rule"·performance | ||
| 326 | #·penalty. | ||
| 327 | # | 243 | # |
| 328 | #·Example·call: | 244 | #·Example·call: |
| 329 | # | 245 | # |
| 330 | # | 246 | #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" |
| 331 | # | 247 | # |
| 332 | function·fix_audit_ | 248 | function·fix_audit_watch_rule·{ |
| 333 | #·Load·function·arguments·into·local·variables | 249 | #·Load·function·arguments·into·local·variables |
| 334 | local·tool="$1" | 250 | local·tool="$1" |
| 335 | local·pat | 251 | local·path="$2" |
| 336 | local· | 252 | local·required_access_bits="$3" |
| 337 | local· | 253 | local·key="$4" |
| 338 | local·full_rule="$5" | ||
| 339 | #·Check·sanity·of·the·input | 254 | #·Check·sanity·of·the·input |
| 340 | if·[·$#·-ne·" | 255 | if·[·$#·-ne·"4"·] |
| 341 | then | 256 | then |
| Max diff block lines reached; 71924/79705 bytes (90.24%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:22</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title> | 12 | ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:product>Mozilla·Firefox</ns0:product> | 14 | ··········<ns0:product>Mozilla·Firefox</ns0:product> |
| Offset 7, 665 lines modified | Offset 7, 32 lines modified | ||
| 7 | ··········<cat:uri·name="ssg-firefox-cpe-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"/> | 7 | ··········<cat:uri·name="ssg-firefox-cpe-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"/> |
| 8 | ········</cat:catalog> | 8 | ········</cat:catalog> |
| 9 | ······</ds:component-ref> | 9 | ······</ds:component-ref> |
| 10 | ····</ds:dictionaries> | 10 | ····</ds:dictionaries> |
| 11 | ····<ds:checklists> | 11 | ····<ds:checklists> |
| 12 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-xccdf-1.2.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-xccdf-1.2.xml"> | 12 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-xccdf-1.2.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-xccdf-1.2.xml"> |
| 13 | ········<cat:catalog> | 13 | ········<cat:catalog> |
| 14 | ··········<cat:uri·name="ssg-firefox-ocil.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-ocil.xml"/> | ||
| 15 | ··········<cat:uri·name="ssg-firefox-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-oval.xml"/> | 14 | ··········<cat:uri·name="ssg-firefox-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-oval.xml"/> |
| 15 | ··········<cat:uri·name="ssg-firefox-ocil.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-ocil.xml"/> | ||
| 16 | ········</cat:catalog> | 16 | ········</cat:catalog> |
| 17 | ······</ds:component-ref> | 17 | ······</ds:component-ref> |
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-ocil.xml"/> | ||
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-ocil.xml"/> | ||
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-firefox-o | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-firefox-oval.xml"·timestamp="2020-04-28T11:48:13"> |
| 26 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | ||
| 27 | ······<ns0:generator> | ||
| 28 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | ||
| 29 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | ||
| 30 | ········<ns0:schema_version>2.0</ns0:schema_version> | ||
| 31 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | ||
| 32 | ······</ns0:generator> | ||
| 33 | ······<ns0:questionnaires> | ||
| 34 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1"> | ||
| 35 | ··········<ns0:title>The·DoD·Root·Certificate·Exists</ns0:title> | ||
| 36 | ··········<ns0:actions> | ||
| 37 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ns0:test_action_ref> | ||
| 38 | ··········</ns0:actions> | ||
| 39 | ········</ns0:questionnaire> | ||
| 40 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1"> | ||
| 41 | ··········<ns0:title>Enable·Shared·System·Certificates</ns0:title> | ||
| 42 | ··········<ns0:actions> | ||
| 43 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ns0:test_action_ref> | ||
| 44 | ··········</ns0:actions> | ||
| 45 | ········</ns0:questionnaire> | ||
| 46 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_user_notice_ocil:questionnaire:1"> | ||
| 47 | ··········<ns0:title>Disable·User·Prompt·When·Data·Is·Cleared</ns0:title> | ||
| 48 | ··········<ns0:actions> | ||
| 49 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1</ns0:test_action_ref> | ||
| 50 | ··········</ns0:actions> | ||
| 51 | ········</ns0:questionnaire> | ||
| 52 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_clear_ocil:questionnaire:1"> | ||
| 53 | ··········<ns0:title>Clear·Data·When·Firefox·Closes</ns0:title> | ||
| 54 | ··········<ns0:actions> | ||
| 55 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_clear_action:testaction:1</ns0:test_action_ref> | ||
| 56 | ··········</ns0:actions> | ||
| 57 | ········</ns0:questionnaire> | ||
| 58 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_obscure_ocil:questionnaire:1"> | ||
| 59 | ··········<ns0:title>Disable·Firefox·Configuration·File·ROT-13·Encoding</ns0:title> | ||
| 60 | ··········<ns0:actions> | ||
| 61 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_obscure_action:testaction:1</ns0:test_action_ref> | ||
| 62 | ··········</ns0:actions> | ||
| 63 | ········</ns0:questionnaire> | ||
| 64 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_config_file_ocil:questionnaire:1"> | ||
| 65 | ··········<ns0:title>Set·Firefox·Configuration·File·Location</ns0:title> | ||
| 66 | ··········<ns0:actions> | ||
| 67 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1</ns0:test_action_ref> | ||
| 68 | ··········</ns0:actions> | ||
| 69 | ········</ns0:questionnaire> | ||
| 70 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_protocol_tls_ocil:questionnaire:1"> | ||
| 71 | ··········<ns0:title>Enable·TLS·Usage·in·Firefox</ns0:title> | ||
| 72 | ··········<ns0:actions> | ||
| 73 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-ssl_protocol_tls_action:testaction:1</ns0:test_action_ref> | ||
| 74 | ··········</ns0:actions> | ||
| 75 | ········</ns0:questionnaire> | ||
| 76 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-home_page_ocil:questionnaire:1"> | ||
| 77 | ··········<ns0:title>Default·Firefox·Home·Page·Configured</ns0:title> | ||
| 78 | ··········<ns0:actions> | ||
| 79 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-home_page_action:testaction:1</ns0:test_action_ref> | ||
| 80 | ··········</ns0:actions> | ||
| 81 | ········</ns0:questionnaire> | ||
| 82 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-shell_protocol_ocil:questionnaire:1"> | ||
| 83 | ··········<ns0:title>Disable·Firefox·Access·to·Shell·Protocols</ns0:title> | ||
| 84 | ··········<ns0:actions> | ||
| 85 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-shell_protocol_action:testaction:1</ns0:test_action_ref> | ||
| 86 | ··········</ns0:actions> | ||
| 87 | ········</ns0:questionnaire> | ||
| 88 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-auto-download_actions_ocil:questionnaire:1"> | ||
| 89 | ··········<ns0:title>Disable·Automatic·Downloads·of·MIME·Types</ns0:title> | ||
| 90 | ··········<ns0:actions> | ||
| 91 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1</ns0:test_action_ref> | ||
| 92 | ··········</ns0:actions> | ||
| 93 | ········</ns0:questionnaire> | ||
| 94 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-search_update_ocil:questionnaire:1"> | ||
| 95 | ··········<ns0:title>Disable·Installed·Search·Plugins·Update·Checking</ns0:title> | ||
| 96 | ··········<ns0:actions> | ||
| 97 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-search_update_action:testaction:1</ns0:test_action_ref> | ||
| 98 | ··········</ns0:actions> | ||
| 99 | ········</ns0:questionnaire> | ||
| 100 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-addons_plugin_updates_ocil:questionnaire:1"> | ||
| 101 | ··········<ns0:title>Disable·Addons·Plugin·Updates</ns0:title> | ||
| 102 | ··········<ns0:actions> | ||
| 103 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-addons_plugin_updates_action:testaction:1</ns0:test_action_ref> | ||
| 104 | ··········</ns0:actions> | ||
| 105 | ········</ns0:questionnaire> | ||
| 106 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-open_confirmation_ocil:questionnaire:1"> | ||
| 107 | ··········<ns0:title>Enable·Downloading·and·Opening·File·Confirmation</ns0:title> | ||
| 108 | ··········<ns0:actions> | ||
| 109 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-open_confirmation_action:testaction:1</ns0:test_action_ref> | ||
| 110 | ··········</ns0:actions> | ||
| 111 | ········</ns0:questionnaire> | ||
| 112 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_window_resizing_ocil:questionnaire:1"> | ||
| 113 | ··········<ns0:title>Disable·JavaScript's·Moving·Or·Resizing·Windows·Capability</ns0:title> | ||
| 114 | ··········<ns0:actions> | ||
| 115 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_window_resizing_action:testaction:1</ns0:test_action_ref> | ||
| 116 | ··········</ns0:actions> | ||
| 117 | ········</ns0:questionnaire> | ||
| 118 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-verification_ocil:questionnaire:1"> | ||
| 119 | ··········<ns0:title>Enable·Certificate·Verification</ns0:title> | ||
| 120 | ··········<ns0:actions> | ||
| 121 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-verification_action:testaction:1</ns0:test_action_ref> | ||
| 122 | ··········</ns0:actions> | ||
| 123 | ········</ns0:questionnaire> | ||
| 124 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-pop-up_windows_ocil:questionnaire:1"> | ||
| 125 | ··········<ns0:title>Enable·Firefox·Pop-up·Blocker</ns0:title> | ||
| 126 | ··········<ns0:actions> | ||
| 127 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-pop-up_windows_action:testaction:1</ns0:test_action_ref> | ||
| 128 | ··········</ns0:actions> | ||
| 129 | ········</ns0:questionnaire> | ||
| 130 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_version_2_ocil:questionnaire:1"> | ||
| 131 | ··········<ns0:title>Disable·SSL·Version·2.0·in·Firefox</ns0:title> | ||
| Max diff block lines reached; 123842/163879 bytes (75.57%) of diff not shown. | |||
| Offset 3, 26 lines modified | Offset 3, 14 lines modified | ||
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 6 | ····<ns0:schema_version>2.0</ns0:schema_version> | 6 | ····<ns0:schema_version>2.0</ns0:schema_version> |
| 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:questionnaires> | 9 | ··<ns0:questionnaires> |
| 10 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1"> | ||
| 11 | ······<ns0:title>The·DoD·Root·Certificate·Exists</ns0:title> | ||
| 12 | ······<ns0:actions> | ||
| 13 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ns0:test_action_ref> | ||
| 14 | ······</ns0:actions> | ||
| 15 | ····</ns0:questionnaire> | ||
| 16 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1"> | ||
| 17 | ······<ns0:title>Enable·Shared·System·Certificates</ns0:title> | ||
| 18 | ······<ns0:actions> | ||
| 19 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ns0:test_action_ref> | ||
| 20 | ······</ns0:actions> | ||
| 21 | ····</ns0:questionnaire> | ||
| 22 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_user_notice_ocil:questionnaire:1"> | 10 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_user_notice_ocil:questionnaire:1"> |
| 23 | ······<ns0:title>Disable·User·Prompt·When·Data·Is·Cleared</ns0:title> | 11 | ······<ns0:title>Disable·User·Prompt·When·Data·Is·Cleared</ns0:title> |
| 24 | ······<ns0:actions> | 12 | ······<ns0:actions> |
| 25 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1</ns0:test_action_ref> | 13 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1</ns0:test_action_ref> |
| 26 | ······</ns0:actions> | 14 | ······</ns0:actions> |
| 27 | ····</ns0:questionnaire> | 15 | ····</ns0:questionnaire> |
| 28 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_clear_ocil:questionnaire:1"> | 16 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_clear_ocil:questionnaire:1"> |
| Offset 39, 14 lines modified | Offset 27, 26 lines modified | ||
| 39 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 40 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_config_file_ocil:questionnaire:1"> | 28 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_config_file_ocil:questionnaire:1"> |
| 41 | ······<ns0:title>Set·Firefox·Configuration·File·Location</ns0:title> | 29 | ······<ns0:title>Set·Firefox·Configuration·File·Location</ns0:title> |
| 42 | ······<ns0:actions> | 30 | ······<ns0:actions> |
| 43 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1</ns0:test_action_ref> | 31 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1</ns0:test_action_ref> |
| 44 | ······</ns0:actions> | 32 | ······</ns0:actions> |
| 45 | ····</ns0:questionnaire> | 33 | ····</ns0:questionnaire> |
| 34 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1"> | ||
| 35 | ······<ns0:title>The·DoD·Root·Certificate·Exists</ns0:title> | ||
| 36 | ······<ns0:actions> | ||
| 37 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ns0:test_action_ref> | ||
| 38 | ······</ns0:actions> | ||
| 39 | ····</ns0:questionnaire> | ||
| 40 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1"> | ||
| 41 | ······<ns0:title>Enable·Shared·System·Certificates</ns0:title> | ||
| 42 | ······<ns0:actions> | ||
| 43 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ns0:test_action_ref> | ||
| 44 | ······</ns0:actions> | ||
| 45 | ····</ns0:questionnaire> | ||
| 46 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_protocol_tls_ocil:questionnaire:1"> | 46 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_protocol_tls_ocil:questionnaire:1"> |
| 47 | ······<ns0:title>Enable·TLS·Usage·in·Firefox</ns0:title> | 47 | ······<ns0:title>Enable·TLS·Usage·in·Firefox</ns0:title> |
| 48 | ······<ns0:actions> | 48 | ······<ns0:actions> |
| 49 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-ssl_protocol_tls_action:testaction:1</ns0:test_action_ref> | 49 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-ssl_protocol_tls_action:testaction:1</ns0:test_action_ref> |
| 50 | ······</ns0:actions> | 50 | ······</ns0:actions> |
| 51 | ····</ns0:questionnaire> | 51 | ····</ns0:questionnaire> |
| 52 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-home_page_ocil:questionnaire:1"> | 52 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-home_page_ocil:questionnaire:1"> |
| Offset 173, 55 lines modified | Offset 173, 55 lines modified | ||
| 173 | ······<ns0:title>Disable·JavaScript's·Ability·To·Modify·The·Browser·Appearance</ns0:title> | 173 | ······<ns0:title>Disable·JavaScript's·Ability·To·Modify·The·Browser·Appearance</ns0:title> |
| 174 | ······<ns0:actions> | 174 | ······<ns0:actions> |
| 175 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_status_bar_text_action:testaction:1</ns0:test_action_ref> | 175 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_status_bar_text_action:testaction:1</ns0:test_action_ref> |
| 176 | ······</ns0:actions> | 176 | ······</ns0:actions> |
| 177 | ····</ns0:questionnaire> | 177 | ····</ns0:questionnaire> |
| 178 | ··</ns0:questionnaires> | 178 | ··</ns0:questionnaires> |
| 179 | ··<ns0:test_actions> | 179 | ··<ns0:test_actions> |
| 180 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences- | 180 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-cookies_user_notice_question:question:1"> |
| 181 | ······<ns0:when_true> | 181 | ······<ns0:when_true> |
| 182 | ········<ns0:result>PASS</ns0:result> | 182 | ········<ns0:result>PASS</ns0:result> |
| 183 | ······</ns0:when_true> | 183 | ······</ns0:when_true> |
| 184 | ······<ns0:when_false> | 184 | ······<ns0:when_false> |
| 185 | ········<ns0:result>FAIL</ns0:result> | 185 | ········<ns0:result>FAIL</ns0:result> |
| 186 | ······</ns0:when_false> | 186 | ······</ns0:when_false> |
| 187 | ····</ns0:boolean_question_test_action> | 187 | ····</ns0:boolean_question_test_action> |
| 188 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences- | 188 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-cookies_clear_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-cookies_clear_question:question:1"> |
| 189 | ······<ns0:when_true> | 189 | ······<ns0:when_true> |
| 190 | ········<ns0:result>PASS</ns0:result> | 190 | ········<ns0:result>PASS</ns0:result> |
| 191 | ······</ns0:when_true> | 191 | ······</ns0:when_true> |
| 192 | ······<ns0:when_false> | 192 | ······<ns0:when_false> |
| 193 | ········<ns0:result>FAIL</ns0:result> | 193 | ········<ns0:result>FAIL</ns0:result> |
| 194 | ······</ns0:when_false> | 194 | ······</ns0:when_false> |
| 195 | ····</ns0:boolean_question_test_action> | 195 | ····</ns0:boolean_question_test_action> |
| 196 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences- | 196 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-lock_settings_obscure_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-lock_settings_obscure_question:question:1"> |
| 197 | ······<ns0:when_true> | 197 | ······<ns0:when_true> |
| 198 | ········<ns0:result>PASS</ns0:result> | 198 | ········<ns0:result>PASS</ns0:result> |
| 199 | ······</ns0:when_true> | 199 | ······</ns0:when_true> |
| 200 | ······<ns0:when_false> | 200 | ······<ns0:when_false> |
| 201 | ········<ns0:result>FAIL</ns0:result> | 201 | ········<ns0:result>FAIL</ns0:result> |
| 202 | ······</ns0:when_false> | 202 | ······</ns0:when_false> |
| 203 | ····</ns0:boolean_question_test_action> | 203 | ····</ns0:boolean_question_test_action> |
| 204 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences- | 204 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-lock_settings_config_file_question:question:1"> |
| 205 | ······<ns0:when_true> | 205 | ······<ns0:when_true> |
| 206 | ········<ns0:result>PASS</ns0:result> | 206 | ········<ns0:result>PASS</ns0:result> |
| 207 | ······</ns0:when_true> | 207 | ······</ns0:when_true> |
| 208 | ······<ns0:when_false> | 208 | ······<ns0:when_false> |
| 209 | ········<ns0:result>FAIL</ns0:result> | 209 | ········<ns0:result>FAIL</ns0:result> |
| 210 | ······</ns0:when_false> | 210 | ······</ns0:when_false> |
| 211 | ····</ns0:boolean_question_test_action> | 211 | ····</ns0:boolean_question_test_action> |
| 212 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences- | 212 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-dod_root_certificate_installed_question:question:1"> |
| 213 | ······<ns0:when_true> | 213 | ······<ns0:when_true> |
| 214 | ········<ns0:result>PASS</ns0:result> | 214 | ········<ns0:result>PASS</ns0:result> |
| 215 | ······</ns0:when_true> | 215 | ······</ns0:when_true> |
| 216 | ······<ns0:when_false> | 216 | ······<ns0:when_false> |
| 217 | ········<ns0:result>FAIL</ns0:result> | 217 | ········<ns0:result>FAIL</ns0:result> |
| 218 | ······</ns0:when_false> | 218 | ······</ns0:when_false> |
| 219 | ····</ns0:boolean_question_test_action> | 219 | ····</ns0:boolean_question_test_action> |
| 220 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences- | 220 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-enable_ca_trust_question:question:1"> |
| 221 | ······<ns0:when_true> | 221 | ······<ns0:when_true> |
| 222 | ········<ns0:result>PASS</ns0:result> | 222 | ········<ns0:result>PASS</ns0:result> |
| 223 | ······</ns0:when_true> | 223 | ······</ns0:when_true> |
| 224 | ······<ns0:when_false> | 224 | ······<ns0:when_false> |
| 225 | ········<ns0:result>FAIL</ns0:result> | 225 | ········<ns0:result>FAIL</ns0:result> |
| 226 | ······</ns0:when_false> | 226 | ······</ns0:when_false> |
| 227 | ····</ns0:boolean_question_test_action> | 227 | ····</ns0:boolean_question_test_action> |
| Offset 399, 30 lines modified | Offset 399, 14 lines modified | ||
| 399 | ······</ns0:when_true> | 399 | ······</ns0:when_true> |
| 400 | ······<ns0:when_false> | 400 | ······<ns0:when_false> |
| 401 | ········<ns0:result>FAIL</ns0:result> | 401 | ········<ns0:result>FAIL</ns0:result> |
| 402 | ······</ns0:when_false> | 402 | ······</ns0:when_false> |
| 403 | ····</ns0:boolean_question_test_action> | 403 | ····</ns0:boolean_question_test_action> |
| 404 | ··</ns0:test_actions> | 404 | ··</ns0:test_actions> |
| 405 | ··<ns0:questions> | 405 | ··<ns0:questions> |
| 406 | ····<ns0:boolean_question·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_question:question:1"> | ||
| 407 | ······<ns0:question_text>To·verify·that·the·DoD·root·certificate·is·installed, | ||
| 408 | list·all·certificates·in·/etc/pki/ca-trust/source/anchors | ||
| 409 | and·compare·them·to·the·DoD·root·certificate.·If·there·is·a·match | ||
| 410 | to·the·DoD·root·certificate,·then·the·DoD·root·certificate·is· | ||
| 411 | installed. | ||
| 412 | » » » Is·it·the·case·that·it·is·not·installed?</ns0:question_text> | ||
| 413 | ····</ns0:boolean_question> | ||
| 414 | ····<ns0:boolean_question·id="ocil:ssg-firefox_preferences-enable_ca_trust_question:question:1"> | ||
| 415 | ······<ns0:question_text>To·verify·that·the·central·system·cerificate·authority·store·is·enabled, | ||
| Max diff block lines reached; 2315/10800 bytes (21.44%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:22</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-firefox_preferences-addons_plugin_updates:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-firefox_preferences-addons_plugin_updates:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Disable·Addons·Plugin·Updates</ns0:title> | 12 | ········<ns0:title>Disable·Addons·Plugin·Updates</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Mozilla·Firefox</ns0:platform> | 14 | ··········<ns0:platform>Mozilla·Firefox</ns0:platform> |
| Offset 209, 467 lines modified | Offset 209, 145 lines modified | ||
| 209 | ····<select·idref="remediation_functions"·selected="false"/> | 209 | ····<select·idref="remediation_functions"·selected="false"/> |
| 210 | ····<refine-value·idref="var_default_home_page"·selector="about_blank"/> | 210 | ····<refine-value·idref="var_default_home_page"·selector="about_blank"/> |
| 211 | ····<refine-value·idref="var_required_file_types"·selector="default"/> | 211 | ····<refine-value·idref="var_required_file_types"·selector="default"/> |
| 212 | ··</Profile> | 212 | ··</Profile> |
| 213 | ··<Group·id="remediation_functions"> | 213 | ··<Group·id="remediation_functions"> |
| 214 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> | 214 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> |
| 215 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> | 215 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> |
| 216 | ····<Value·hidden="true"·id="function_fi | 216 | ····<Value·hidden="true"·id="function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> |
| 217 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fi | 217 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_watch_rule</title> |
| 218 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | ||
| 219 | ······<value>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the | ||
| 220 | #·preference·if·it·does·not·exist. | ||
| 221 | # | ||
| 222 | #·Expects·three·arguments: | ||
| 223 | # | ||
| 224 | #·config_file:··········Configuration·file·that·will·be·modified | ||
| 225 | #·key:··················Configuration·option·to·change | ||
| 226 | #·value:················Value·of·the·configuration·option·to·change | ||
| 227 | # | ||
| 228 | # | ||
| 229 | #·Example·Call(s): | ||
| 230 | # | ||
| 231 | #·····Without·string·or·variable: | ||
| 232 | #·····firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" | ||
| 233 | # | ||
| 234 | #·····With·string: | ||
| 235 | #·····firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"stig.cfg\"" | ||
| 236 | # | ||
| 237 | #·····With·a·string·variable: | ||
| 238 | #·····firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"$var_config_file_name\"" | ||
| 239 | # | ||
| 240 | function·firefox_js_setting·{ | ||
| 241 | ··local·firefox_js=$1 | ||
| 242 | ··local·key=$2 | ||
| 243 | ··local·value=$3 | ||
| 244 | ··local·firefox_dirs="/usr/lib/firefox·/usr/lib64/firefox·/usr/local/lib/firefox·/usr/local/lib64/firefox" | ||
| 245 | ··local·firefox_pref="/defaults/pref" | ||
| 246 | ··local·firefox_preferences="/defaults/preferences" | ||
| 247 | ··#·Check·sanity·of·input | ||
| 248 | ··if·[·$#·-lt·"3"·] | ||
| 249 | ··then | ||
| 250 | ········echo·"Usage:·firefox_js_setting·'config_javascript_file'·'key_to_search'·'new_value'" | ||
| 251 | ········echo | ||
| 252 | ········echo·"Aborting." | ||
| 253 | ········exit·1 | ||
| 254 | ··fi | ||
| 255 | ··#·Check·the·possible·Firefox·install·directories | ||
| 256 | ··for·firefox_dir·in·${firefox_dirs};·do | ||
| 257 | ····#·If·the·Firefox·directory·exists,·then·Firefox·is·installed | ||
| 258 | ····if·[·-d·"${firefox_dir}"·];·then | ||
| 259 | ······#·Different·versions·of·Firefox·have·different·preferences·directories,·check·for·them·and·set·the·right·one | ||
| 260 | ······if·[·-d·"${firefox_dir}/${firefox_pref}"·]·;·then | ||
| 261 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_pref}" | ||
| 262 | ······elif·[·-d·"${firefox_dir}/${firefox_preferences}"·]·;·then | ||
| 263 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | ||
| 264 | ······else | ||
| 265 | ········mkdir·-m·755·-p·"${firefox_dir}/${firefox_preferences}" | ||
| 266 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | ||
| 267 | ······fi | ||
| 268 | ······#·Make·sure·the·Firefox·.js·file·exists·and·has·the·appropriate·permissions | ||
| 269 | ······if·!·[·-f·"${firefox_pref_dir}/${firefox_js}"·]·;·then | ||
| 270 | ········touch·"${firefox_pref_dir}/${firefox_js}" | ||
| 271 | ········chmod·644·"${firefox_pref_dir}/${firefox_js}" | ||
| 272 | ······fi | ||
| 273 | ······#·If·the·key·exists,·change·it.·Otherwise,·add·it·to·the·config_file. | ||
| 274 | ······if·`grep·-q·"^pref(\"${key}\",·"·"${firefox_pref_dir}/${firefox_js}"`·;·then | ||
| 275 | ········sed·-i·"s/pref(\"${key}\".*/pref(\"${key}\",·${value});/g"·"${firefox_pref_dir}/${firefox_js}" | ||
| 276 | ······else | ||
| 277 | ········echo·"pref(\"${key}\",·${value});"·>>·"${firefox_pref_dir}/${firefox_js}" | ||
| 278 | ······fi | ||
| 279 | ····fi | ||
| 280 | ··done | ||
| 281 | }</value> | ||
| 282 | ····</Value> | ||
| 283 | ····<Value·hidden="true"·id="function_fix_audit_syscall_rule"·operator="equals"·prohibitChanges="true"·type="string"> | ||
| 284 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_syscall_rule</title> | ||
| 285 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | 218 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> |
| 286 | ······<value>#·Function·to·fix·sys | 219 | ······<value>#·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: |
| 287 | #· | 220 | #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements |
| 288 | #· | 221 | #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect |
| 289 | #· | 222 | #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules |
| 290 | #·syscall·group·into·one·audit·rule·(rather·than·to·create·audit·rule·per | ||
| 291 | #·different·system·call)·to·avoid·audit·infrastructure·performance·penalty | ||
| 292 | #·in·the·case·of·'one-audit-rule-definition-per-one-system-call'.·See: | ||
| 293 | # | ||
| 294 | #···https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html | ||
| 295 | # | ||
| 296 | #·for·further·details. | ||
| 297 | # | 223 | # |
| 298 | #·Expects·f | 224 | #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: |
| 299 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, | 225 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, |
| 300 | #·» » » » » either·'auditctl',·or·'augenrules | 226 | #·» » » » » either·'auditctl',·or·'augenrules' |
| 301 | #·*·a | 227 | #·*·path························» value·of·-w·audit·rule's·argument |
| 302 | #·*· | 228 | #·*·required·access·bits········» value·of·-p·audit·rule's·argument |
| 303 | #· | 229 | #·*·key·························» value·of·-k·audit·rule's·argument |
| 304 | #·*·architecture» » » architecture·this·rule·is·intended·for | ||
| 305 | #·*·full·form·of·new·rule·to·add» expected·full·form·of·audit·rule·as·to·be | ||
| 306 | #·» » » » » added·into·audit.rules·file | ||
| 307 | # | ||
| 308 | #·Note:·The·2-th·up·to·4-th·arguments·are·used·to·determine·how·many·existing | ||
| 309 | #·audit·rules·will·be·inspected·for·resemblance·with·the·new·audit·rule | ||
| 310 | #·(5-th·argument)·the·function·is·going·to·add.·The·rule's·similarity·check | ||
| 311 | #·is·performed·to·optimize·audit.rules·definition·(merge·syscalls·of·the·same | ||
| 312 | #·group·into·one·rule)·to·avoid·the·"single-syscall-per-audit-rule"·performance | ||
| 313 | #·penalty. | ||
| 314 | # | 230 | # |
| 315 | #·Example·call: | 231 | #·Example·call: |
| 316 | # | 232 | # |
| 317 | # | 233 | #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" |
| 318 | # | 234 | # |
| 319 | function·fix_audit_ | 235 | function·fix_audit_watch_rule·{ |
| 320 | #·Load·function·arguments·into·local·variables | 236 | #·Load·function·arguments·into·local·variables |
| 321 | local·tool="$1" | 237 | local·tool="$1" |
| 322 | local·pat | 238 | local·path="$2" |
| 323 | local· | 239 | local·required_access_bits="$3" |
| 324 | local· | 240 | local·key="$4" |
| 325 | local·full_rule="$5" | ||
| 326 | #·Check·sanity·of·the·input | 241 | #·Check·sanity·of·the·input |
| 327 | if·[·$#·-ne·" | 242 | if·[·$#·-ne·"4"·] |
| 328 | then | 243 | then |
| Max diff block lines reached; 74296/82082 bytes (90.51%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:22</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Java·Runtime·Environment</ns0:title> | 12 | ········<ns0:title>Java·Runtime·Environment</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> | 14 | ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-oval.xml"·timestamp="202 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-oval.xml"·timestamp="2020-04-28T11:48:15"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>202 | 31 | ········<ns2:timestamp>2020-04-27T21:33:22</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> | 34 | ········<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Java·Runtime·Environment</ns0:title> | 36 | ············<ns0:title>Java·Runtime·Environment</ns0:title> |
| 37 | ············<ns0:affected·family="unix"> | 37 | ············<ns0:affected·family="unix"> |
| 38 | ··············<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> | 38 | ··············<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> |
| Offset 314, 15 lines modified | Offset 314, 15 lines modified | ||
| 314 | ········</ns3:rpminfo_state> | 314 | ········</ns3:rpminfo_state> |
| 315 | ········<ns3:rpminfo_state·id="oval:ssg-state_ibm_java_rhel:ste:1"·version="1"> | 315 | ········<ns3:rpminfo_state·id="oval:ssg-state_ibm_java_rhel:ste:1"·version="1"> |
| 316 | ··········<ns3:evr·datatype="evr_string"·operation="greater·than·or·equal">.*1.6.0.*</ns3:evr> | 316 | ··········<ns3:evr·datatype="evr_string"·operation="greater·than·or·equal">.*1.6.0.*</ns3:evr> |
| 317 | ········</ns3:rpminfo_state> | 317 | ········</ns3:rpminfo_state> |
| 318 | ······</ns0:states> | 318 | ······</ns0:states> |
| 319 | ····</ns0:oval_definitions> | 319 | ····</ns0:oval_definitions> |
| 320 | ··</ds:component> | 320 | ··</ds:component> |
| 321 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-ocil.xml"·timestamp="202 | 321 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-ocil.xml"·timestamp="2020-04-28T11:48:15"> |
| 322 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 322 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 323 | ······<ns0:generator> | 323 | ······<ns0:generator> |
| 324 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 324 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 325 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 325 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 326 | ········<ns0:schema_version>2.0</ns0:schema_version> | 326 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 327 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 327 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 328 | ······</ns0:generator> | 328 | ······</ns0:generator> |
| Offset 576, 15 lines modified | Offset 576, 15 lines modified | ||
| 576 | If·properly·configured,·the·output·should·return: | 576 | If·properly·configured,·the·output·should·return: |
| 577 | deployment.security.validation.ocsp=true | 577 | deployment.security.validation.ocsp=true |
| 578 | » » » Is·it·the·case·that·it·does·not·exist·or·is·not·configured·properly?</ns0:question_text> | 578 | » » » Is·it·the·case·that·it·does·not·exist·or·is·not·configured·properly?</ns0:question_text> |
| 579 | ········</ns0:boolean_question> | 579 | ········</ns0:boolean_question> |
| 580 | ······</ns0:questions> | 580 | ······</ns0:questions> |
| 581 | ····</ns0:ocil> | 581 | ····</ns0:ocil> |
| 582 | ··</ds:component> | 582 | ··</ds:component> |
| 583 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-xccdf-1.2.xml"·timestamp="202 | 583 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-xccdf-1.2.xml"·timestamp="2020-04-28T11:48:35"> |
| 584 | ····<Benchmark·id="xccdf_org.ssgproject.content_benchmark_JRE"·resolved="1"·style="SCAP_1.2"·xml:lang="en-US"·xmlns="http://checklists.nist.gov/xccdf/1.2"> | 584 | ····<Benchmark·id="xccdf_org.ssgproject.content_benchmark_JRE"·resolved="1"·style="SCAP_1.2"·xml:lang="en-US"·xmlns="http://checklists.nist.gov/xccdf/1.2"> |
| 585 | ······<status·date="2018-07-26">draft</status> | 585 | ······<status·date="2018-07-26">draft</status> |
| 586 | ······<title·xml:lang="en-US">Guide·to·the·Secure·Configuration·of·Java·Runtime·Environment</title> | 586 | ······<title·xml:lang="en-US">Guide·to·the·Secure·Configuration·of·Java·Runtime·Environment</title> |
| 587 | ······<description·xml:lang="en-US"> | 587 | ······<description·xml:lang="en-US"> |
| 588 | ········This·guide·presents·a·catalog·of·security-relevant | 588 | ········This·guide·presents·a·catalog·of·security-relevant |
| 589 | configuration·settings·for·Java·Runtime·Environment.·It·is·a·rendering·of | 589 | configuration·settings·for·Java·Runtime·Environment.·It·is·a·rendering·of |
| 590 | content·structured·in·the·eXtensible·Configuration·Checklist·Description·Format·(XCCDF) | 590 | content·structured·in·the·eXtensible·Configuration·Checklist·Description·Format·(XCCDF) |
| Offset 772, 467 lines modified | Offset 772, 145 lines modified | ||
| 772 | ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_validation_ocsp_locked"·selected="true"/> | 772 | ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_validation_ocsp_locked"·selected="true"/> |
| 773 | ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_updated"·selected="true"/> | 773 | ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_updated"·selected="true"/> |
| 774 | ········<select·idref="xccdf_org.ssgproject.content_group_remediation_functions"·selected="false"/> | 774 | ········<select·idref="xccdf_org.ssgproject.content_group_remediation_functions"·selected="false"/> |
| 775 | ······</Profile> | 775 | ······</Profile> |
| 776 | ······<Group·id="xccdf_org.ssgproject.content_group_remediation_functions"> | 776 | ······<Group·id="xccdf_org.ssgproject.content_group_remediation_functions"> |
| 777 | ········<title·xml:lang="en-US">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> | 777 | ········<title·xml:lang="en-US">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> |
| 778 | ········<description·xml:lang="en-US">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> | 778 | ········<description·xml:lang="en-US">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> |
| 779 | ········<Value·hidden="true"·id="xccdf_org.ssgproject.content_value_function_fi | 779 | ········<Value·hidden="true"·id="xccdf_org.ssgproject.content_value_function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> |
| 780 | ··········<title·xml:lang="en-US">Remediation·function·fi | 780 | ··········<title·xml:lang="en-US">Remediation·function·fix_audit_watch_rule</title> |
| 781 | ··········<description·xml:lang="en-US">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | ||
| 782 | ··········<value>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the | ||
| 783 | #·preference·if·it·does·not·exist. | ||
| 784 | # | ||
| 785 | #·Expects·three·arguments: | ||
| 786 | # | ||
| 787 | #·config_file:··········Configuration·file·that·will·be·modified | ||
| 788 | #·key:··················Configuration·option·to·change | ||
| 789 | #·value:················Value·of·the·configuration·option·to·change | ||
| 790 | # | ||
| 791 | # | ||
| 792 | #·Example·Call(s): | ||
| 793 | # | ||
| 794 | #·····Without·string·or·variable: | ||
| 795 | #·····firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" | ||
| 796 | # | ||
| 797 | #·····With·string: | ||
| 798 | #·····firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"stig.cfg\"" | ||
| 799 | # | ||
| 800 | #·····With·a·string·variable: | ||
| 801 | #·····firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"$var_config_file_name\"" | ||
| 802 | # | ||
| 803 | function·firefox_js_setting·{ | ||
| 804 | ··local·firefox_js=$1 | ||
| 805 | ··local·key=$2 | ||
| 806 | ··local·value=$3 | ||
| 807 | ··local·firefox_dirs="/usr/lib/firefox·/usr/lib64/firefox·/usr/local/lib/firefox·/usr/local/lib64/firefox" | ||
| 808 | ··local·firefox_pref="/defaults/pref" | ||
| 809 | ··local·firefox_preferences="/defaults/preferences" | ||
| 810 | ··#·Check·sanity·of·input | ||
| 811 | ··if·[·$#·-lt·"3"·] | ||
| 812 | ··then | ||
| 813 | ········echo·"Usage:·firefox_js_setting·'config_javascript_file'·'key_to_search'·'new_value'" | ||
| 814 | ········echo | ||
| 815 | ········echo·"Aborting." | ||
| 816 | ········exit·1 | ||
| 817 | ··fi | ||
| 818 | ··#·Check·the·possible·Firefox·install·directories | ||
| 819 | ··for·firefox_dir·in·${firefox_dirs};·do | ||
| 820 | ····#·If·the·Firefox·directory·exists,·then·Firefox·is·installed | ||
| 821 | ····if·[·-d·"${firefox_dir}"·];·then | ||
| 822 | ······#·Different·versions·of·Firefox·have·different·preferences·directories,·check·for·them·and·set·the·right·one | ||
| 823 | ······if·[·-d·"${firefox_dir}/${firefox_pref}"·]·;·then | ||
| 824 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_pref}" | ||
| 825 | ······elif·[·-d·"${firefox_dir}/${firefox_preferences}"·]·;·then | ||
| 826 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | ||
| 827 | ······else | ||
| 828 | ········mkdir·-m·755·-p·"${firefox_dir}/${firefox_preferences}" | ||
| 829 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | ||
| 830 | ······fi | ||
| 831 | ······#·Make·sure·the·Firefox·.js·file·exists·and·has·the·appropriate·permissions | ||
| 832 | ······if·!·[·-f·"${firefox_pref_dir}/${firefox_js}"·]·;·then | ||
| 833 | ········touch·"${firefox_pref_dir}/${firefox_js}" | ||
| 834 | ········chmod·644·"${firefox_pref_dir}/${firefox_js}" | ||
| 835 | ······fi | ||
| 836 | ······#·If·the·key·exists,·change·it.·Otherwise,·add·it·to·the·config_file. | ||
| 837 | ······if·`grep·-q·"^pref(\"${key}\",·"·"${firefox_pref_dir}/${firefox_js}"`·;·then | ||
| 838 | ········sed·-i·"s/pref(\"${key}\".*/pref(\"${key}\",·${value});/g"·"${firefox_pref_dir}/${firefox_js}" | ||
| 839 | ······else | ||
| 840 | ········echo·"pref(\"${key}\",·${value});"·>>·"${firefox_pref_dir}/${firefox_js}" | ||
| Max diff block lines reached; 69375/78376 bytes (88.52%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:22</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Java·Runtime·Environment</ns0:title> | 12 | ········<ns0:title>Java·Runtime·Environment</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> | 14 | ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> |
| Offset 190, 467 lines modified | Offset 190, 145 lines modified | ||
| 190 | ····<select·idref="java_jre_validation_ocsp_locked"·selected="true"/> | 190 | ····<select·idref="java_jre_validation_ocsp_locked"·selected="true"/> |
| 191 | ····<select·idref="java_jre_updated"·selected="true"/> | 191 | ····<select·idref="java_jre_updated"·selected="true"/> |
| 192 | ····<select·idref="remediation_functions"·selected="false"/> | 192 | ····<select·idref="remediation_functions"·selected="false"/> |
| 193 | ··</Profile> | 193 | ··</Profile> |
| 194 | ··<Group·id="remediation_functions"> | 194 | ··<Group·id="remediation_functions"> |
| 195 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> | 195 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> |
| 196 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> | 196 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> |
| 197 | ····<Value·hidden="true"·id="function_fi | 197 | ····<Value·hidden="true"·id="function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> |
| 198 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fi | 198 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_watch_rule</title> |
| 199 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | ||
| 200 | ······<value>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the | ||
| 201 | #·preference·if·it·does·not·exist. | ||
| 202 | # | ||
| 203 | #·Expects·three·arguments: | ||
| 204 | # | ||
| 205 | #·config_file:··········Configuration·file·that·will·be·modified | ||
| 206 | #·key:··················Configuration·option·to·change | ||
| 207 | #·value:················Value·of·the·configuration·option·to·change | ||
| 208 | # | ||
| 209 | # | ||
| 210 | #·Example·Call(s): | ||
| 211 | # | ||
| 212 | #·····Without·string·or·variable: | ||
| 213 | #·····firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" | ||
| 214 | # | ||
| 215 | #·····With·string: | ||
| 216 | #·····firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"stig.cfg\"" | ||
| 217 | # | ||
| 218 | #·····With·a·string·variable: | ||
| 219 | #·····firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"$var_config_file_name\"" | ||
| 220 | # | ||
| 221 | function·firefox_js_setting·{ | ||
| 222 | ··local·firefox_js=$1 | ||
| 223 | ··local·key=$2 | ||
| 224 | ··local·value=$3 | ||
| 225 | ··local·firefox_dirs="/usr/lib/firefox·/usr/lib64/firefox·/usr/local/lib/firefox·/usr/local/lib64/firefox" | ||
| 226 | ··local·firefox_pref="/defaults/pref" | ||
| 227 | ··local·firefox_preferences="/defaults/preferences" | ||
| 228 | ··#·Check·sanity·of·input | ||
| 229 | ··if·[·$#·-lt·"3"·] | ||
| 230 | ··then | ||
| 231 | ········echo·"Usage:·firefox_js_setting·'config_javascript_file'·'key_to_search'·'new_value'" | ||
| 232 | ········echo | ||
| 233 | ········echo·"Aborting." | ||
| 234 | ········exit·1 | ||
| 235 | ··fi | ||
| 236 | ··#·Check·the·possible·Firefox·install·directories | ||
| 237 | ··for·firefox_dir·in·${firefox_dirs};·do | ||
| 238 | ····#·If·the·Firefox·directory·exists,·then·Firefox·is·installed | ||
| 239 | ····if·[·-d·"${firefox_dir}"·];·then | ||
| 240 | ······#·Different·versions·of·Firefox·have·different·preferences·directories,·check·for·them·and·set·the·right·one | ||
| 241 | ······if·[·-d·"${firefox_dir}/${firefox_pref}"·]·;·then | ||
| 242 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_pref}" | ||
| 243 | ······elif·[·-d·"${firefox_dir}/${firefox_preferences}"·]·;·then | ||
| 244 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | ||
| 245 | ······else | ||
| 246 | ········mkdir·-m·755·-p·"${firefox_dir}/${firefox_preferences}" | ||
| 247 | ········local·firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | ||
| 248 | ······fi | ||
| 249 | ······#·Make·sure·the·Firefox·.js·file·exists·and·has·the·appropriate·permissions | ||
| 250 | ······if·!·[·-f·"${firefox_pref_dir}/${firefox_js}"·]·;·then | ||
| 251 | ········touch·"${firefox_pref_dir}/${firefox_js}" | ||
| 252 | ········chmod·644·"${firefox_pref_dir}/${firefox_js}" | ||
| 253 | ······fi | ||
| 254 | ······#·If·the·key·exists,·change·it.·Otherwise,·add·it·to·the·config_file. | ||
| 255 | ······if·`grep·-q·"^pref(\"${key}\",·"·"${firefox_pref_dir}/${firefox_js}"`·;·then | ||
| 256 | ········sed·-i·"s/pref(\"${key}\".*/pref(\"${key}\",·${value});/g"·"${firefox_pref_dir}/${firefox_js}" | ||
| 257 | ······else | ||
| 258 | ········echo·"pref(\"${key}\",·${value});"·>>·"${firefox_pref_dir}/${firefox_js}" | ||
| 259 | ······fi | ||
| 260 | ····fi | ||
| 261 | ··done | ||
| 262 | }</value> | ||
| 263 | ····</Value> | ||
| 264 | ····<Value·hidden="true"·id="function_fix_audit_syscall_rule"·operator="equals"·prohibitChanges="true"·type="string"> | ||
| 265 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_syscall_rule</title> | ||
| 266 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | 199 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> |
| 267 | ······<value>#·Function·to·fix·sys | 200 | ······<value>#·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: |
| 268 | #· | 201 | #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements |
| 269 | #· | 202 | #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect |
| 270 | #· | 203 | #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules |
| 271 | #·syscall·group·into·one·audit·rule·(rather·than·to·create·audit·rule·per | ||
| 272 | #·different·system·call)·to·avoid·audit·infrastructure·performance·penalty | ||
| 273 | #·in·the·case·of·'one-audit-rule-definition-per-one-system-call'.·See: | ||
| 274 | # | ||
| 275 | #···https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html | ||
| 276 | # | ||
| 277 | #·for·further·details. | ||
| 278 | # | 204 | # |
| 279 | #·Expects·f | 205 | #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: |
| 280 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, | 206 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, |
| 281 | #·» » » » » either·'auditctl',·or·'augenrules | 207 | #·» » » » » either·'auditctl',·or·'augenrules' |
| 282 | #·*·a | 208 | #·*·path························» value·of·-w·audit·rule's·argument |
| 283 | #·*· | 209 | #·*·required·access·bits········» value·of·-p·audit·rule's·argument |
| 284 | #· | 210 | #·*·key·························» value·of·-k·audit·rule's·argument |
| 285 | #·*·architecture» » » architecture·this·rule·is·intended·for | ||
| 286 | #·*·full·form·of·new·rule·to·add» expected·full·form·of·audit·rule·as·to·be | ||
| 287 | #·» » » » » added·into·audit.rules·file | ||
| 288 | # | ||
| 289 | #·Note:·The·2-th·up·to·4-th·arguments·are·used·to·determine·how·many·existing | ||
| 290 | #·audit·rules·will·be·inspected·for·resemblance·with·the·new·audit·rule | ||
| 291 | #·(5-th·argument)·the·function·is·going·to·add.·The·rule's·similarity·check | ||
| 292 | #·is·performed·to·optimize·audit.rules·definition·(merge·syscalls·of·the·same | ||
| 293 | #·group·into·one·rule)·to·avoid·the·"single-syscall-per-audit-rule"·performance | ||
| 294 | #·penalty. | ||
| 295 | # | 211 | # |
| 296 | #·Example·call: | 212 | #·Example·call: |
| 297 | # | 213 | # |
| 298 | # | 214 | #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" |
| 299 | # | 215 | # |
| 300 | function·fix_audit_ | 216 | function·fix_audit_watch_rule·{ |
| 301 | #·Load·function·arguments·into·local·variables | 217 | #·Load·function·arguments·into·local·variables |
| 302 | local·tool="$1" | 218 | local·tool="$1" |
| 303 | local·pat | 219 | local·path="$2" |
| 304 | local· | 220 | local·required_access_bits="$3" |
| 305 | local· | 221 | local·key="$4" |
| 306 | local·full_rule="$5" | ||
| 307 | #·Check·sanity·of·the·input | 222 | #·Check·sanity·of·the·input |
| 308 | if·[·$#·-ne·" | 223 | if·[·$#·-ne·"4"·] |
| 309 | then | 224 | then |
| Max diff block lines reached; 63775/71542 bytes (89.14%) of diff not shown. | |||
| Offset 1, 3 lines modified | Offset 1, 3 lines modified | ||
| 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary | 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary |
| 2 | -rw-r--r--···0········0········0·····2 | 2 | -rw-r--r--···0········0········0·····2112·2018-07-26·14:58:28.000000·control.tar.xz |
| 3 | -rw-r--r--···0········0········0···165 | 3 | -rw-r--r--···0········0········0···165080·2018-07-26·14:58:28.000000·data.tar.xz |
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 220, 34 lines modified | Offset 220, 34 lines modified | ||
| 220 | class·remove_telnetd·{ | 220 | class·remove_telnetd·{ |
| 221 | ··package·{·'telnetd': | 221 | ··package·{·'telnetd': |
| 222 | ····ensure·=>·'purged', | 222 | ····ensure·=>·'purged', |
| 223 | ··} | 223 | ··} |
| 224 | } | 224 | } |
| 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm489 | 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm490 | 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4905">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4905"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 232 | ··package: | 232 | ··package: |
| 233 | ····name="{{item}}" | 233 | ····name="{{item}}" |
| 234 | ····state=present | 234 | ····state=present |
| 235 | ··with_items: | 235 | ··with_items: |
| 236 | ····-·ntp | 236 | ····-·ntp |
| 237 | ··tags: | 237 | ··tags: |
| 238 | ····-·package_ntp_installed | 238 | ····-·package_ntp_installed |
| 239 | ····-·high_severity | 239 | ····-·high_severity |
| 240 | ····-·enable_strategy | 240 | ····-·enable_strategy |
| 241 | ····-·low_complexity | 241 | ····-·low_complexity |
| 242 | ····-·low_disruption | 242 | ····-·low_disruption |
| 243 | ····-·CCE- | 243 | ····-·CCE- |
| 244 | ····-·NIST-800-53-AU-8(1) | 244 | ····-·NIST-800-53-AU-8(1) |
| 245 | ····-·PCI-DSS-Req-10.4 | 245 | ····-·PCI-DSS-Req-10.4 |
| 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm490 | 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4906">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4906"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp |
| 247 | class·install_ntp·{ | 247 | class·install_ntp·{ |
| 248 | ··package·{·'ntp': | 248 | ··package·{·'ntp': |
| 249 | ····ensure·=>·'installed', | 249 | ····ensure·=>·'installed', |
| 250 | ··} | 250 | ··} |
| 251 | } | 251 | } |
| 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ssh">SSH·Server | 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ssh">SSH·Server |
| Offset 258, 37 lines modified | Offset 258, 15 lines modified | ||
| 258 | consideration·in·the·OpenSSH·configuration·writing | 258 | consideration·in·the·OpenSSH·configuration·writing |
| 259 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for | 259 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for |
| 260 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 260 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 261 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 261 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 262 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 262 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 263 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 263 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 264 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 264 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 265 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 265 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5012"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 266 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 267 | permitted.·The·default·setting·in | ||
| 268 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 269 | verified·by·ensuring·that·the·following | ||
| 270 | line·appears: | ||
| 271 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 272 | result·in·security·vulnerabilities·and | ||
| 273 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 274 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 275 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 276 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 278 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 279 | <code>/etc/ssh/sshd_config</code>: | ||
| 280 | <pre>PermitEmptyPasswords·no</pre> | ||
| 281 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 282 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 283 | remote·login·via·SSH·will·require·a·password, | ||
| 284 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 285 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 286 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 287 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5041"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 288 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 266 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 289 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 267 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 290 | <br><br> | 268 | <br><br> |
| 291 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 269 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 292 | follows: | 270 | follows: |
| 293 | <pre>ClientAliveInterval·<b>interval</b></pre> | 271 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 294 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 272 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 298, 23 lines modified | Offset 276, 45 lines modified | ||
| 298 | shell,·that·value·will·preempt·any·SSH | 276 | shell,·that·value·will·preempt·any·SSH |
| 299 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 277 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 300 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 278 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 301 | guards·against·compromises·one·system·leading·trivially | 279 | guards·against·compromises·one·system·leading·trivially |
| 302 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 280 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 303 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 281 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 304 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 282 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 305 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 283 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·id="guide-tree-leaf-idm5035"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">Allow·Only·SSH·Protocol·2 |
| 284 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 285 | permitted.·The·default·setting·in | ||
| 286 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 287 | verified·by·ensuring·that·the·following | ||
| 288 | line·appears: | ||
| 289 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 290 | result·in·security·vulnerabilities·and | ||
| 291 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 292 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 293 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 294 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5050"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count | ||
| 306 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, | 295 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 307 | edit·<code>/etc/ssh/sshd_config</code>·as | 296 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 308 | follows: | 297 | follows: |
| 309 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> | 298 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 310 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 299 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 311 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 300 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 312 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 301 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 313 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_ | 302 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5066"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords |
| 303 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 304 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 305 | <code>/etc/ssh/sshd_config</code>: | ||
| 306 | <pre>PermitEmptyPasswords·no</pre> | ||
| 307 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 308 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 309 | remote·login·via·SSH·will·require·a·password, | ||
| 310 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 311 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 312 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 313 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login"·id="guide-tree-leaf-idm5080"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login">Disable·SSH·Root·Login | ||
| Max diff block lines reached; 45330/74118 bytes (61.16%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·37·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 220, 62 lines modified | Offset 220, 62 lines modified | ||
| 220 | class·remove_telnetd·{ | 220 | class·remove_telnetd·{ |
| 221 | ··package·{·'telnetd': | 221 | ··package·{·'telnetd': |
| 222 | ····ensure·=>·'purged', | 222 | ····ensure·=>·'purged', |
| 223 | ··} | 223 | ··} |
| 224 | } | 224 | } |
| 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 229 | ························ | 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4905">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4905"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 232 | ··package: | 232 | ··package: |
| 233 | ····name="{{item}}" | 233 | ····name="{{item}}" |
| 234 | ····state=present | 234 | ····state=present |
| 235 | ··with_items: | 235 | ··with_items: |
| 236 | ····-· | 236 | ····-·ntp |
| 237 | ··tags: | 237 | ··tags: |
| 238 | ····-·package_ | 238 | ····-·package_ntp_installed |
| 239 | ····-· | 239 | ····-·high_severity |
| 240 | ····-·enable_strategy | 240 | ····-·enable_strategy |
| 241 | ····-·low_complexity | 241 | ····-·low_complexity |
| 242 | ····-·low_disruption | 242 | ····-·low_disruption |
| 243 | ····-·CCE- | 243 | ····-·CCE- |
| 244 | ····-·NIST-800-53- | 244 | ····-·NIST-800-53-AU-8(1) |
| 245 | 245 | ····-·PCI-DSS-Req-10.4 | |
| 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4906">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4906"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 246 | class·install_ | 247 | class·install_ntp·{ |
| 247 | ··package·{·' | 248 | ··package·{·'ntp': |
| 248 | ····ensure·=>·'installed', | 249 | ····ensure·=>·'installed', |
| 249 | ··} | 250 | ··} |
| 250 | } | 251 | } |
| 251 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed"·id="guide-tree-leaf-idm4909"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_cron_installed">Install·the·cron·service |
| 252 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 253 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 253 | ························ | 254 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 254 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 255 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 255 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 256 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4916">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4916"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·cron·is·installed |
| 256 | ··package: | 257 | ··package: |
| 257 | ····name="{{item}}" | 258 | ····name="{{item}}" |
| 258 | ····state=present | 259 | ····state=present |
| 259 | ··with_items: | 260 | ··with_items: |
| 260 | ····-· | 261 | ····-·cron |
| 261 | ··tags: | 262 | ··tags: |
| 262 | ····-·package_ | 263 | ····-·package_cron_installed |
| 263 | ····-· | 264 | ····-·medium_severity |
| 264 | ····-·enable_strategy | 265 | ····-·enable_strategy |
| 265 | ····-·low_complexity | 266 | ····-·low_complexity |
| 266 | ····-·low_disruption | 267 | ····-·low_disruption |
| 267 | ····-·CCE- | 268 | ····-·CCE- |
| 268 | ····-·NIST-800-53- | 269 | ····-·NIST-800-53-CM-7 |
| 269 | ····-· | 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4917">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4917"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_cron |
| 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4908">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4908"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 271 | class·install_ | 271 | class·install_cron·{ |
| 272 | ··package·{·' | 272 | ··package·{·'cron': |
| 273 | ····ensure·=>·'installed', | 273 | ····ensure·=>·'installed', |
| 274 | ··} | 274 | ··} |
| 275 | } | 275 | } |
| 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4920"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service | 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4920"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service |
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| Offset 352, 37 lines modified | Offset 352, 15 lines modified | ||
| 352 | consideration·in·the·OpenSSH·configuration·writing | 352 | consideration·in·the·OpenSSH·configuration·writing |
| 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for | 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for |
| 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5012"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 361 | permitted.·The·default·setting·in | ||
| 362 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 363 | verified·by·ensuring·that·the·following | ||
| 364 | line·appears: | ||
| 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 366 | result·in·security·vulnerabilities·and | ||
| 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 372 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 373 | <code>/etc/ssh/sshd_config</code>: | ||
| 374 | <pre>PermitEmptyPasswords·no</pre> | ||
| 375 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 376 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 377 | remote·login·via·SSH·will·require·a·password, | ||
| 378 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 380 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 381 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5041"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 382 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 383 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 361 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 384 | <br><br> | 362 | <br><br> |
| 385 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 363 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 386 | follows: | 364 | follows: |
| 387 | <pre>ClientAliveInterval·<b>interval</b></pre> | 365 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 388 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 366 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 392, 23 lines modified | Offset 370, 45 lines modified | ||
| 392 | shell,·that·value·will·preempt·any·SSH | 370 | shell,·that·value·will·preempt·any·SSH |
| 393 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 371 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 394 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 372 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 395 | guards·against·compromises·one·system·leading·trivially | 373 | guards·against·compromises·one·system·leading·trivially |
| 396 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 374 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 397 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 375 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 398 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 376 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 399 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 377 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·id="guide-tree-leaf-idm5035"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">Allow·Only·SSH·Protocol·2 |
| 378 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| Max diff block lines reached; 49264/81852 bytes (60.19%) of diff not shown. | |||
| Offset 202, 25 lines modified | Offset 202, 25 lines modified | ||
| 202 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo | 202 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo |
| 203 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | 203 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority |
| 204 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | 204 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· |
| 205 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | 205 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands |
| 206 | that·normally·only·<code>root</code>·is·allowed·to·execute. | 206 | that·normally·only·<code>root</code>·is·allowed·to·execute. |
| 207 | <br><br> | 207 | <br><br> |
| 208 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | 208 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see |
| 209 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm5 | 209 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm5405"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate |
| 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using | 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using |
| 211 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the | 211 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the |
| 212 | <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or | 212 | <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or |
| 213 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they | 213 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they |
| 214 | do·not·have·authorization. | 214 | do·not·have·authorization. |
| 215 | <br><br> | 215 | <br><br> |
| 216 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it | 216 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it |
| 217 | is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 217 | is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 218 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 218 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 219 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5 | 219 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5425"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD |
| 220 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using | 220 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using |
| 221 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the | 221 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the |
| 222 | <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or· | 222 | <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or· |
| 223 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they | 223 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they |
| 224 | do·not·have·authorization. | 224 | do·not·have·authorization. |
| 225 | <br><br> | 225 | <br><br> |
| 226 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it | 226 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it |
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·36·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 220, 62 lines modified | Offset 220, 62 lines modified | ||
| 220 | class·remove_telnetd·{ | 220 | class·remove_telnetd·{ |
| 221 | ··package·{·'telnetd': | 221 | ··package·{·'telnetd': |
| 222 | ····ensure·=>·'purged', | 222 | ····ensure·=>·'purged', |
| 223 | ··} | 223 | ··} |
| 224 | } | 224 | } |
| 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 229 | ························ | 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4905">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4905"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 232 | ··package: | 232 | ··package: |
| 233 | ····name="{{item}}" | 233 | ····name="{{item}}" |
| 234 | ····state=present | 234 | ····state=present |
| 235 | ··with_items: | 235 | ··with_items: |
| 236 | ····-· | 236 | ····-·ntp |
| 237 | ··tags: | 237 | ··tags: |
| 238 | ····-·package_ | 238 | ····-·package_ntp_installed |
| 239 | ····-· | 239 | ····-·high_severity |
| 240 | ····-·enable_strategy | 240 | ····-·enable_strategy |
| 241 | ····-·low_complexity | 241 | ····-·low_complexity |
| 242 | ····-·low_disruption | 242 | ····-·low_disruption |
| 243 | ····-·CCE- | 243 | ····-·CCE- |
| 244 | ····-·NIST-800-53- | 244 | ····-·NIST-800-53-AU-8(1) |
| 245 | 245 | ····-·PCI-DSS-Req-10.4 | |
| 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4906">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4906"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 246 | class·install_ | 247 | class·install_ntp·{ |
| 247 | ··package·{·' | 248 | ··package·{·'ntp': |
| 248 | ····ensure·=>·'installed', | 249 | ····ensure·=>·'installed', |
| 249 | ··} | 250 | ··} |
| 250 | } | 251 | } |
| 251 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed"·id="guide-tree-leaf-idm4909"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_cron_installed">Install·the·cron·service |
| 252 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 253 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 253 | ························ | 254 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 254 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 255 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 255 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 256 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4916">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4916"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·cron·is·installed |
| 256 | ··package: | 257 | ··package: |
| 257 | ····name="{{item}}" | 258 | ····name="{{item}}" |
| 258 | ····state=present | 259 | ····state=present |
| 259 | ··with_items: | 260 | ··with_items: |
| 260 | ····-· | 261 | ····-·cron |
| 261 | ··tags: | 262 | ··tags: |
| 262 | ····-·package_ | 263 | ····-·package_cron_installed |
| 263 | ····-· | 264 | ····-·medium_severity |
| 264 | ····-·enable_strategy | 265 | ····-·enable_strategy |
| 265 | ····-·low_complexity | 266 | ····-·low_complexity |
| 266 | ····-·low_disruption | 267 | ····-·low_disruption |
| 267 | ····-·CCE- | 268 | ····-·CCE- |
| 268 | ····-·NIST-800-53- | 269 | ····-·NIST-800-53-CM-7 |
| 269 | ····-· | 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4917">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4917"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_cron |
| 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4908">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4908"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 271 | class·install_ | 271 | class·install_cron·{ |
| 272 | ··package·{·' | 272 | ··package·{·'cron': |
| 273 | ····ensure·=>·'installed', | 273 | ····ensure·=>·'installed', |
| 274 | ··} | 274 | ··} |
| 275 | } | 275 | } |
| 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4920"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service | 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4920"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service |
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| Offset 352, 37 lines modified | Offset 352, 15 lines modified | ||
| 352 | consideration·in·the·OpenSSH·configuration·writing | 352 | consideration·in·the·OpenSSH·configuration·writing |
| 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for | 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for |
| 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5012"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 361 | permitted.·The·default·setting·in | ||
| 362 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 363 | verified·by·ensuring·that·the·following | ||
| 364 | line·appears: | ||
| 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 366 | result·in·security·vulnerabilities·and | ||
| 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 372 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 373 | <code>/etc/ssh/sshd_config</code>: | ||
| 374 | <pre>PermitEmptyPasswords·no</pre> | ||
| 375 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 376 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 377 | remote·login·via·SSH·will·require·a·password, | ||
| 378 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 380 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 381 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5041"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 382 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 383 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 361 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 384 | <br><br> | 362 | <br><br> |
| 385 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 363 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 386 | follows: | 364 | follows: |
| 387 | <pre>ClientAliveInterval·<b>interval</b></pre> | 365 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 388 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 366 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 392, 23 lines modified | Offset 370, 45 lines modified | ||
| 392 | shell,·that·value·will·preempt·any·SSH | 370 | shell,·that·value·will·preempt·any·SSH |
| 393 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 371 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 394 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 372 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 395 | guards·against·compromises·one·system·leading·trivially | 373 | guards·against·compromises·one·system·leading·trivially |
| 396 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 374 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 397 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 375 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 398 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 376 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 399 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 377 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·id="guide-tree-leaf-idm5035"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">Allow·Only·SSH·Protocol·2 |
| 378 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| Max diff block lines reached; 50067/82462 bytes (60.72%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| Offset 76, 22 lines modified | Offset 76, 15 lines modified | ||
| 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 77 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 77 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 78 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 78 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 79 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 79 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 80 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration | 80 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration |
| 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings | 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings |
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage | 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog |
| 84 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | ||
| 85 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | ||
| 86 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | ||
| 87 | that·normally·only·<code>root</code>·is·allowed·to·execute. | ||
| 88 | <br><br> | ||
| 89 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | ||
| 90 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog | ||
| 91 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for | 84 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for |
| 92 | many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format, | 85 | many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format, |
| 93 | lack·of·authentication·for·received·messages,·and·lack·of·authentication, | 86 | lack·of·authentication·for·received·messages,·and·lack·of·authentication, |
| 94 | encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However, | 87 | encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However, |
| 95 | due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by | 88 | due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by |
| 96 | almost·all·Unix·applications. | 89 | almost·all·Unix·applications. |
| 97 | <br> | 90 | <br> |
| Offset 173, 15 lines modified | Offset 166, 22 lines modified | ||
| 173 | stores·four·archival·copies·of·each·log.·These·settings·can·be | 166 | stores·four·archival·copies·of·each·log.·These·settings·can·be |
| 174 | modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are | 167 | modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are |
| 175 | sufficient·for·purposes·of·this·guide. | 168 | sufficient·for·purposes·of·this·guide. |
| 176 | <br><br> | 169 | <br><br> |
| 177 | Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job | 170 | Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job |
| 178 | <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be | 171 | <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be |
| 179 | rotated·more·often·than·once·a·day,·some·other·mechanism·must·be | 172 | rotated·more·often·than·once·a·day,·some·other·mechanism·must·be |
| 180 | used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 173 | used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo |
| 174 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | ||
| 175 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | ||
| 176 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | ||
| 177 | that·normally·only·<code>root</code>·is·allowed·to·execute. | ||
| 178 | <br><br> | ||
| 179 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | ||
| 180 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_fs-part"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem | ||
| 181 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services, | 181 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services, |
| 182 | data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation | 182 | data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation |
| 183 | of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms | 183 | of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms |
| 184 | that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning | 184 | that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning |
| 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive | 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive |
| 186 | ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by | 186 | ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by |
| 187 | partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the | 187 | partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the |
| Offset 222, 84 lines modified | Offset 222, 84 lines modified | ||
| 222 | class·remove_telnetd·{ | 222 | class·remove_telnetd·{ |
| 223 | ··package·{·'telnetd': | 223 | ··package·{·'telnetd': |
| 224 | ····ensure·=>·'purged', | 224 | ····ensure·=>·'purged', |
| 225 | ··} | 225 | ··} |
| 226 | } | 226 | } |
| 227 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 227 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 228 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 228 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 229 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 229 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4887"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service |
| 230 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ | 230 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 231 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 231 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 232 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 232 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 233 | ············<a·href="http:// | 233 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4893">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4893"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·cron |
| 234 | ·· | 234 | ··service: |
| 235 | ····name="{{item}}" | 235 | ····name="{{item}}" |
| 236 | ···· | 236 | ····enabled="yes" |
| 237 | ····state="started" | ||
| 237 | ··with_items: | 238 | ··with_items: |
| 238 | ····-·cron | 239 | ····-·cron |
| 239 | ··tags: | 240 | ··tags: |
| 240 | ····-· | 241 | ····-·service_cron_enabled |
| 241 | ····-·medium_severity | 242 | ····-·medium_severity |
| 242 | ····-·enable_strategy | 243 | ····-·enable_strategy |
| 243 | ····-·low_complexity | 244 | ····-·low_complexity |
| 244 | ····-·low_disruption | 245 | ····-·low_disruption |
| 245 | ····-·CCE- | 246 | ····-·CCE- |
| 246 | ····-·NIST-800-53-CM-7 | 247 | ····-·NIST-800-53-CM-7 |
| 247 | </code></pre></div>< | 248 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 248 | class·install_cron·{ | ||
| 249 | ··package·{·'cron': | ||
| 250 | ····ensure·=>·'installed', | ||
| 251 | ··} | ||
| 252 | } | ||
| 253 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4898"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | ||
| 254 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 249 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 255 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 250 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 256 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 251 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 257 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm490 | 252 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4905">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4905"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 258 | ··package: | 253 | ··package: |
| 259 | ····name="{{item}}" | 254 | ····name="{{item}}" |
| 260 | ····state=present | 255 | ····state=present |
| 261 | ··with_items: | 256 | ··with_items: |
| 262 | ····-·ntp | 257 | ····-·ntp |
| 263 | ··tags: | 258 | ··tags: |
| 264 | ····-·package_ntp_installed | 259 | ····-·package_ntp_installed |
| 265 | ····-·high_severity | 260 | ····-·high_severity |
| 266 | ····-·enable_strategy | 261 | ····-·enable_strategy |
| 267 | ····-·low_complexity | 262 | ····-·low_complexity |
| 268 | ····-·low_disruption | 263 | ····-·low_disruption |
| 269 | ····-·CCE- | 264 | ····-·CCE- |
| 270 | ····-·NIST-800-53-AU-8(1) | 265 | ····-·NIST-800-53-AU-8(1) |
| 271 | ····-·PCI-DSS-Req-10.4 | 266 | ····-·PCI-DSS-Req-10.4 |
| 272 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm490 | 267 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4906">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4906"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp |
| 273 | class·install_ntp·{ | 268 | class·install_ntp·{ |
| 274 | ··package·{·'ntp': | 269 | ··package·{·'ntp': |
| 275 | ····ensure·=>·'installed', | 270 | ····ensure·=>·'installed', |
| 276 | ··} | 271 | ··} |
| 277 | } | 272 | } |
| 278 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 273 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed"·id="guide-tree-leaf-idm4909"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_cron_installed">Install·the·cron·service |
| 279 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ | 274 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 280 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 275 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 281 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 276 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 282 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm491 | 277 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4916">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4916"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·cron·is·installed |
| 283 | ·· | 278 | ··package: |
| 284 | ····name="{{item}}" | 279 | ····name="{{item}}" |
| 285 | ···· | 280 | ····state=present |
| 286 | ····state="started" | ||
| 287 | ··with_items: | 281 | ··with_items: |
| 288 | ····-·cron | 282 | ····-·cron |
| 289 | ··tags: | 283 | ··tags: |
| 290 | ····-· | 284 | ····-·package_cron_installed |
| 291 | ····-·medium_severity | 285 | ····-·medium_severity |
| 292 | ····-·enable_strategy | 286 | ····-·enable_strategy |
| 293 | ····-·low_complexity | 287 | ····-·low_complexity |
| 294 | ····-·low_disruption | 288 | ····-·low_disruption |
| 295 | ····-·CCE- | 289 | ····-·CCE- |
| 296 | ····-·NIST-800-53-CM-7 | 290 | ····-·NIST-800-53-CM-7 |
| 291 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4917">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4917"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_cron | ||
| 292 | class·install_cron·{ | ||
| 293 | ··package·{·'cron': | ||
| 294 | ····ensure·=>·'installed', | ||
| 295 | ··} | ||
| 296 | } | ||
| 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4920"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service | 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4920"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service |
| 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 299 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 299 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 300 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 300 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 301 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4926">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4926"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·auditd·is·installed | 301 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4926">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4926"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·auditd·is·installed |
| 302 | ··package: | 302 | ··package: |
| 303 | ····name="{{item}}" | 303 | ····name="{{item}}" |
| Offset 373, 37 lines modified | Offset 373, 15 lines modified | ||
| 373 | consideration·in·the·OpenSSH·configuration·writing | 373 | consideration·in·the·OpenSSH·configuration·writing |
| 374 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for | 374 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for |
| 375 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 375 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 376 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 376 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 377 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 377 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 378 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 378 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 379 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 379 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 380 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 380 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5012"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 381 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 382 | permitted.·The·default·setting·in | ||
| 383 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 384 | verified·by·ensuring·that·the·following | ||
| 385 | line·appears: | ||
| 386 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 387 | result·in·security·vulnerabilities·and | ||
| 388 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 389 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 390 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 391 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 392 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 393 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 394 | <code>/etc/ssh/sshd_config</code>: | ||
| 395 | <pre>PermitEmptyPasswords·no</pre> | ||
| 396 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 397 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 398 | remote·login·via·SSH·will·require·a·password, | ||
| 399 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 400 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 401 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 402 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5041"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 403 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 381 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 404 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 382 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 405 | <br><br> | 383 | <br><br> |
| 406 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 384 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| Max diff block lines reached; 45838/71199 bytes (64.38%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 220, 34 lines modified | Offset 220, 34 lines modified | ||
| 220 | class·remove_telnetd·{ | 220 | class·remove_telnetd·{ |
| 221 | ··package·{·'telnetd': | 221 | ··package·{·'telnetd': |
| 222 | ····ensure·=>·'purged', | 222 | ····ensure·=>·'purged', |
| 223 | ··} | 223 | ··} |
| 224 | } | 224 | } |
| 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4 | 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm49 | 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4908">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4908"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 232 | ··package: | 232 | ··package: |
| 233 | ····name="{{item}}" | 233 | ····name="{{item}}" |
| 234 | ····state=present | 234 | ····state=present |
| 235 | ··with_items: | 235 | ··with_items: |
| 236 | ····-·ntp | 236 | ····-·ntp |
| 237 | ··tags: | 237 | ··tags: |
| 238 | ····-·package_ntp_installed | 238 | ····-·package_ntp_installed |
| 239 | ····-·high_severity | 239 | ····-·high_severity |
| 240 | ····-·enable_strategy | 240 | ····-·enable_strategy |
| 241 | ····-·low_complexity | 241 | ····-·low_complexity |
| 242 | ····-·low_disruption | 242 | ····-·low_disruption |
| 243 | ····-·CCE- | 243 | ····-·CCE- |
| 244 | ····-·NIST-800-53-AU-8(1) | 244 | ····-·NIST-800-53-AU-8(1) |
| 245 | ····-·PCI-DSS-Req-10.4 | 245 | ····-·PCI-DSS-Req-10.4 |
| 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm49 | 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp |
| 247 | class·install_ntp·{ | 247 | class·install_ntp·{ |
| 248 | ··package·{·'ntp': | 248 | ··package·{·'ntp': |
| 249 | ····ensure·=>·'installed', | 249 | ····ensure·=>·'installed', |
| 250 | ··} | 250 | ··} |
| 251 | } | 251 | } |
| 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ssh">SSH·Server | 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ssh">SSH·Server |
| Offset 258, 37 lines modified | Offset 258, 15 lines modified | ||
| 258 | consideration·in·the·OpenSSH·configuration·writing | 258 | consideration·in·the·OpenSSH·configuration·writing |
| 259 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for | 259 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for |
| 260 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 260 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 261 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 261 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 262 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 262 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 263 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 263 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 264 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 264 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 265 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 265 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5015"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 266 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 267 | permitted.·The·default·setting·in | ||
| 268 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 269 | verified·by·ensuring·that·the·following | ||
| 270 | line·appears: | ||
| 271 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 272 | result·in·security·vulnerabilities·and | ||
| 273 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 274 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 275 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 276 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 278 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 279 | <code>/etc/ssh/sshd_config</code>: | ||
| 280 | <pre>PermitEmptyPasswords·no</pre> | ||
| 281 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 282 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 283 | remote·login·via·SSH·will·require·a·password, | ||
| 284 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 285 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 286 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 287 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5044"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 288 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 266 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 289 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 267 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 290 | <br><br> | 268 | <br><br> |
| 291 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 269 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 292 | follows: | 270 | follows: |
| 293 | <pre>ClientAliveInterval·<b>interval</b></pre> | 271 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 294 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 272 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 298, 23 lines modified | Offset 276, 45 lines modified | ||
| 298 | shell,·that·value·will·preempt·any·SSH | 276 | shell,·that·value·will·preempt·any·SSH |
| 299 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 277 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 300 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 278 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 301 | guards·against·compromises·one·system·leading·trivially | 279 | guards·against·compromises·one·system·leading·trivially |
| 302 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 280 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 303 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 281 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 304 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 282 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 305 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 283 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·id="guide-tree-leaf-idm5038"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">Allow·Only·SSH·Protocol·2 |
| 284 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 285 | permitted.·The·default·setting·in | ||
| 286 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 287 | verified·by·ensuring·that·the·following | ||
| 288 | line·appears: | ||
| 289 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 290 | result·in·security·vulnerabilities·and | ||
| 291 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 292 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 293 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 294 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5053"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count | ||
| 306 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, | 295 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 307 | edit·<code>/etc/ssh/sshd_config</code>·as | 296 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 308 | follows: | 297 | follows: |
| 309 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> | 298 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 310 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 299 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 311 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 300 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 312 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 301 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 313 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_ | 302 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5069"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords |
| 303 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 304 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 305 | <code>/etc/ssh/sshd_config</code>: | ||
| 306 | <pre>PermitEmptyPasswords·no</pre> | ||
| 307 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 308 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 309 | remote·login·via·SSH·will·require·a·password, | ||
| 310 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 311 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 312 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 313 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login"·id="guide-tree-leaf-idm5083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login">Disable·SSH·Root·Login | ||
| Max diff block lines reached; 45330/74118 bytes (61.16%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·37·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 220, 62 lines modified | Offset 220, 62 lines modified | ||
| 220 | class·remove_telnetd·{ | 220 | class·remove_telnetd·{ |
| 221 | ··package·{·'telnetd': | 221 | ··package·{·'telnetd': |
| 222 | ····ensure·=>·'purged', | 222 | ····ensure·=>·'purged', |
| 223 | ··} | 223 | ··} |
| 224 | } | 224 | } |
| 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 229 | ························ | 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4908">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4908"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 232 | ··package: | 232 | ··package: |
| 233 | ····name="{{item}}" | 233 | ····name="{{item}}" |
| 234 | ····state=present | 234 | ····state=present |
| 235 | ··with_items: | 235 | ··with_items: |
| 236 | ····-· | 236 | ····-·ntp |
| 237 | ··tags: | 237 | ··tags: |
| 238 | ····-·package_ | 238 | ····-·package_ntp_installed |
| 239 | ····-· | 239 | ····-·high_severity |
| 240 | ····-·enable_strategy | 240 | ····-·enable_strategy |
| 241 | ····-·low_complexity | 241 | ····-·low_complexity |
| 242 | ····-·low_disruption | 242 | ····-·low_disruption |
| 243 | ····-·CCE- | 243 | ····-·CCE- |
| 244 | ····-·NIST-800-53- | 244 | ····-·NIST-800-53-AU-8(1) |
| 245 | 245 | ····-·PCI-DSS-Req-10.4 | |
| 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 246 | class·install_ | 247 | class·install_ntp·{ |
| 247 | ··package·{·' | 248 | ··package·{·'ntp': |
| 248 | ····ensure·=>·'installed', | 249 | ····ensure·=>·'installed', |
| 249 | ··} | 250 | ··} |
| 250 | } | 251 | } |
| 251 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed"·id="guide-tree-leaf-idm4912"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_cron_installed">Install·the·cron·service |
| 252 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 253 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 253 | ························ | 254 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 254 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 255 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 255 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 256 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4919">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4919"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·cron·is·installed |
| 256 | ··package: | 257 | ··package: |
| 257 | ····name="{{item}}" | 258 | ····name="{{item}}" |
| 258 | ····state=present | 259 | ····state=present |
| 259 | ··with_items: | 260 | ··with_items: |
| 260 | ····-· | 261 | ····-·cron |
| 261 | ··tags: | 262 | ··tags: |
| 262 | ····-·package_ | 263 | ····-·package_cron_installed |
| 263 | ····-· | 264 | ····-·medium_severity |
| 264 | ····-·enable_strategy | 265 | ····-·enable_strategy |
| 265 | ····-·low_complexity | 266 | ····-·low_complexity |
| 266 | ····-·low_disruption | 267 | ····-·low_disruption |
| 267 | ····-·CCE- | 268 | ····-·CCE- |
| 268 | ····-·NIST-800-53- | 269 | ····-·NIST-800-53-CM-7 |
| 269 | ····-· | 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4920">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4920"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_cron |
| 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4911">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4911"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 271 | class·install_ | 271 | class·install_cron·{ |
| 272 | ··package·{·' | 272 | ··package·{·'cron': |
| 273 | ····ensure·=>·'installed', | 273 | ····ensure·=>·'installed', |
| 274 | ··} | 274 | ··} |
| 275 | } | 275 | } |
| 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4923"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service | 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4923"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service |
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| Offset 352, 37 lines modified | Offset 352, 15 lines modified | ||
| 352 | consideration·in·the·OpenSSH·configuration·writing | 352 | consideration·in·the·OpenSSH·configuration·writing |
| 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for | 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for |
| 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5015"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 361 | permitted.·The·default·setting·in | ||
| 362 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 363 | verified·by·ensuring·that·the·following | ||
| 364 | line·appears: | ||
| 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 366 | result·in·security·vulnerabilities·and | ||
| 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 372 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 373 | <code>/etc/ssh/sshd_config</code>: | ||
| 374 | <pre>PermitEmptyPasswords·no</pre> | ||
| 375 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 376 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 377 | remote·login·via·SSH·will·require·a·password, | ||
| 378 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 380 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 381 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5044"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 382 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 383 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 361 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 384 | <br><br> | 362 | <br><br> |
| 385 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 363 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 386 | follows: | 364 | follows: |
| 387 | <pre>ClientAliveInterval·<b>interval</b></pre> | 365 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 388 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 366 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 392, 23 lines modified | Offset 370, 45 lines modified | ||
| 392 | shell,·that·value·will·preempt·any·SSH | 370 | shell,·that·value·will·preempt·any·SSH |
| 393 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 371 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 394 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 372 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 395 | guards·against·compromises·one·system·leading·trivially | 373 | guards·against·compromises·one·system·leading·trivially |
| 396 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 374 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 397 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 375 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 398 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 376 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 399 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 377 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·id="guide-tree-leaf-idm5038"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">Allow·Only·SSH·Protocol·2 |
| 378 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| Max diff block lines reached; 49264/81852 bytes (60.19%) of diff not shown. | |||
| Offset 202, 25 lines modified | Offset 202, 25 lines modified | ||
| 202 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo | 202 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo |
| 203 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | 203 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority |
| 204 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | 204 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· |
| 205 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | 205 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands |
| 206 | that·normally·only·<code>root</code>·is·allowed·to·execute. | 206 | that·normally·only·<code>root</code>·is·allowed·to·execute. |
| 207 | <br><br> | 207 | <br><br> |
| 208 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | 208 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see |
| 209 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm5 | 209 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm5408"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate |
| 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using | 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using |
| 211 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the | 211 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the |
| 212 | <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or | 212 | <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or |
| 213 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they | 213 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they |
| 214 | do·not·have·authorization. | 214 | do·not·have·authorization. |
| 215 | <br><br> | 215 | <br><br> |
| 216 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it | 216 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it |
| 217 | is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 217 | is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 218 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 218 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 219 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5 | 219 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5428"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD |
| 220 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using | 220 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using |
| 221 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the | 221 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the |
| 222 | <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or· | 222 | <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or· |
| 223 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they | 223 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they |
| 224 | do·not·have·authorization. | 224 | do·not·have·authorization. |
| 225 | <br><br> | 225 | <br><br> |
| 226 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it | 226 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it |
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·36·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 220, 62 lines modified | Offset 220, 62 lines modified | ||
| 220 | class·remove_telnetd·{ | 220 | class·remove_telnetd·{ |
| 221 | ··package·{·'telnetd': | 221 | ··package·{·'telnetd': |
| 222 | ····ensure·=>·'purged', | 222 | ····ensure·=>·'purged', |
| 223 | ··} | 223 | ··} |
| 224 | } | 224 | } |
| 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 229 | ························ | 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4908">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4908"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 232 | ··package: | 232 | ··package: |
| 233 | ····name="{{item}}" | 233 | ····name="{{item}}" |
| 234 | ····state=present | 234 | ····state=present |
| 235 | ··with_items: | 235 | ··with_items: |
| 236 | ····-· | 236 | ····-·ntp |
| 237 | ··tags: | 237 | ··tags: |
| 238 | ····-·package_ | 238 | ····-·package_ntp_installed |
| 239 | ····-· | 239 | ····-·high_severity |
| 240 | ····-·enable_strategy | 240 | ····-·enable_strategy |
| 241 | ····-·low_complexity | 241 | ····-·low_complexity |
| 242 | ····-·low_disruption | 242 | ····-·low_disruption |
| 243 | ····-·CCE- | 243 | ····-·CCE- |
| 244 | ····-·NIST-800-53- | 244 | ····-·NIST-800-53-AU-8(1) |
| 245 | 245 | ····-·PCI-DSS-Req-10.4 | |
| 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 246 | class·install_ | 247 | class·install_ntp·{ |
| 247 | ··package·{·' | 248 | ··package·{·'ntp': |
| 248 | ····ensure·=>·'installed', | 249 | ····ensure·=>·'installed', |
| 249 | ··} | 250 | ··} |
| 250 | } | 251 | } |
| 251 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed"·id="guide-tree-leaf-idm4912"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_cron_installed">Install·the·cron·service |
| 252 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 253 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 253 | ························ | 254 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 254 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 255 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 255 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 256 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4919">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4919"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·cron·is·installed |
| 256 | ··package: | 257 | ··package: |
| 257 | ····name="{{item}}" | 258 | ····name="{{item}}" |
| 258 | ····state=present | 259 | ····state=present |
| 259 | ··with_items: | 260 | ··with_items: |
| 260 | ····-· | 261 | ····-·cron |
| 261 | ··tags: | 262 | ··tags: |
| 262 | ····-·package_ | 263 | ····-·package_cron_installed |
| 263 | ····-· | 264 | ····-·medium_severity |
| 264 | ····-·enable_strategy | 265 | ····-·enable_strategy |
| 265 | ····-·low_complexity | 266 | ····-·low_complexity |
| 266 | ····-·low_disruption | 267 | ····-·low_disruption |
| 267 | ····-·CCE- | 268 | ····-·CCE- |
| 268 | ····-·NIST-800-53- | 269 | ····-·NIST-800-53-CM-7 |
| 269 | ····-· | 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4920">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4920"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_cron |
| 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4911">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4911"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 271 | class·install_ | 271 | class·install_cron·{ |
| 272 | ··package·{·' | 272 | ··package·{·'cron': |
| 273 | ····ensure·=>·'installed', | 273 | ····ensure·=>·'installed', |
| 274 | ··} | 274 | ··} |
| 275 | } | 275 | } |
| 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4923"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service | 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4923"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service |
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| Offset 352, 37 lines modified | Offset 352, 15 lines modified | ||
| 352 | consideration·in·the·OpenSSH·configuration·writing | 352 | consideration·in·the·OpenSSH·configuration·writing |
| 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for | 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for |
| 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5015"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 361 | permitted.·The·default·setting·in | ||
| 362 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 363 | verified·by·ensuring·that·the·following | ||
| 364 | line·appears: | ||
| 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 366 | result·in·security·vulnerabilities·and | ||
| 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 372 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 373 | <code>/etc/ssh/sshd_config</code>: | ||
| 374 | <pre>PermitEmptyPasswords·no</pre> | ||
| 375 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 376 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 377 | remote·login·via·SSH·will·require·a·password, | ||
| 378 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 380 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 381 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5044"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 382 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 383 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 361 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 384 | <br><br> | 362 | <br><br> |
| 385 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 363 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 386 | follows: | 364 | follows: |
| 387 | <pre>ClientAliveInterval·<b>interval</b></pre> | 365 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 388 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 366 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 392, 23 lines modified | Offset 370, 45 lines modified | ||
| 392 | shell,·that·value·will·preempt·any·SSH | 370 | shell,·that·value·will·preempt·any·SSH |
| 393 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 371 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 394 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 372 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 395 | guards·against·compromises·one·system·leading·trivially | 373 | guards·against·compromises·one·system·leading·trivially |
| 396 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 374 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 397 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 375 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 398 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 376 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 399 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 377 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·id="guide-tree-leaf-idm5038"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">Allow·Only·SSH·Protocol·2 |
| 378 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| Max diff block lines reached; 50067/82462 bytes (60.72%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| Offset 76, 22 lines modified | Offset 76, 15 lines modified | ||
| 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 77 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 77 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 78 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 78 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 79 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 79 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 80 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration | 80 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration |
| 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings | 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings |
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage | 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog |
| 84 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | ||
| 85 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | ||
| 86 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | ||
| 87 | that·normally·only·<code>root</code>·is·allowed·to·execute. | ||
| 88 | <br><br> | ||
| 89 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | ||
| 90 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog | ||
| 91 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for | 84 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for |
| 92 | many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format, | 85 | many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format, |
| 93 | lack·of·authentication·for·received·messages,·and·lack·of·authentication, | 86 | lack·of·authentication·for·received·messages,·and·lack·of·authentication, |
| 94 | encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However, | 87 | encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However, |
| 95 | due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by | 88 | due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by |
| 96 | almost·all·Unix·applications. | 89 | almost·all·Unix·applications. |
| 97 | <br> | 90 | <br> |
| Offset 173, 15 lines modified | Offset 166, 22 lines modified | ||
| 173 | stores·four·archival·copies·of·each·log.·These·settings·can·be | 166 | stores·four·archival·copies·of·each·log.·These·settings·can·be |
| 174 | modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are | 167 | modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are |
| 175 | sufficient·for·purposes·of·this·guide. | 168 | sufficient·for·purposes·of·this·guide. |
| 176 | <br><br> | 169 | <br><br> |
| 177 | Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job | 170 | Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job |
| 178 | <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be | 171 | <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be |
| 179 | rotated·more·often·than·once·a·day,·some·other·mechanism·must·be | 172 | rotated·more·often·than·once·a·day,·some·other·mechanism·must·be |
| 180 | used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 173 | used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo |
| 174 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | ||
| 175 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | ||
| 176 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | ||
| 177 | that·normally·only·<code>root</code>·is·allowed·to·execute. | ||
| 178 | <br><br> | ||
| 179 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | ||
| 180 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_fs-part"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem | ||
| 181 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services, | 181 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services, |
| 182 | data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation | 182 | data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation |
| 183 | of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms | 183 | of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms |
| 184 | that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning | 184 | that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning |
| 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive | 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive |
| 186 | ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by | 186 | ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by |
| 187 | partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the | 187 | partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the |
| Offset 222, 84 lines modified | Offset 222, 84 lines modified | ||
| 222 | class·remove_telnetd·{ | 222 | class·remove_telnetd·{ |
| 223 | ··package·{·'telnetd': | 223 | ··package·{·'telnetd': |
| 224 | ····ensure·=>·'purged', | 224 | ····ensure·=>·'purged', |
| 225 | ··} | 225 | ··} |
| 226 | } | 226 | } |
| 227 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 227 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 228 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 228 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 229 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 229 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4890"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service |
| 230 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ | 230 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 231 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 231 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 232 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 232 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 233 | ············<a·href="http:// | 233 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4896">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4896"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·cron |
| 234 | ·· | 234 | ··service: |
| 235 | ····name="{{item}}" | 235 | ····name="{{item}}" |
| 236 | ···· | 236 | ····enabled="yes" |
| 237 | ····state="started" | ||
| 237 | ··with_items: | 238 | ··with_items: |
| 238 | ····-·cron | 239 | ····-·cron |
| 239 | ··tags: | 240 | ··tags: |
| 240 | ····-· | 241 | ····-·service_cron_enabled |
| 241 | ····-·medium_severity | 242 | ····-·medium_severity |
| 242 | ····-·enable_strategy | 243 | ····-·enable_strategy |
| 243 | ····-·low_complexity | 244 | ····-·low_complexity |
| 244 | ····-·low_disruption | 245 | ····-·low_disruption |
| 245 | ····-·CCE- | 246 | ····-·CCE- |
| 246 | ····-·NIST-800-53-CM-7 | 247 | ····-·NIST-800-53-CM-7 |
| 247 | </code></pre></div>< | 248 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 248 | class·install_cron·{ | ||
| 249 | ··package·{·'cron': | ||
| 250 | ····ensure·=>·'installed', | ||
| 251 | ··} | ||
| 252 | } | ||
| 253 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4901"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | ||
| 254 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 249 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 255 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 250 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 256 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 251 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 257 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm49 | 252 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4908">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4908"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 258 | ··package: | 253 | ··package: |
| 259 | ····name="{{item}}" | 254 | ····name="{{item}}" |
| 260 | ····state=present | 255 | ····state=present |
| 261 | ··with_items: | 256 | ··with_items: |
| 262 | ····-·ntp | 257 | ····-·ntp |
| 263 | ··tags: | 258 | ··tags: |
| 264 | ····-·package_ntp_installed | 259 | ····-·package_ntp_installed |
| 265 | ····-·high_severity | 260 | ····-·high_severity |
| 266 | ····-·enable_strategy | 261 | ····-·enable_strategy |
| 267 | ····-·low_complexity | 262 | ····-·low_complexity |
| 268 | ····-·low_disruption | 263 | ····-·low_disruption |
| 269 | ····-·CCE- | 264 | ····-·CCE- |
| 270 | ····-·NIST-800-53-AU-8(1) | 265 | ····-·NIST-800-53-AU-8(1) |
| 271 | ····-·PCI-DSS-Req-10.4 | 266 | ····-·PCI-DSS-Req-10.4 |
| 272 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm49 | 267 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp |
| 273 | class·install_ntp·{ | 268 | class·install_ntp·{ |
| 274 | ··package·{·'ntp': | 269 | ··package·{·'ntp': |
| 275 | ····ensure·=>·'installed', | 270 | ····ensure·=>·'installed', |
| 276 | ··} | 271 | ··} |
| 277 | } | 272 | } |
| 278 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 273 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed"·id="guide-tree-leaf-idm4912"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_cron_installed">Install·the·cron·service |
| 279 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ | 274 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 280 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 275 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 281 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 276 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 282 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm49 | 277 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4919">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4919"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·cron·is·installed |
| 283 | ·· | 278 | ··package: |
| 284 | ····name="{{item}}" | 279 | ····name="{{item}}" |
| 285 | ···· | 280 | ····state=present |
| 286 | ····state="started" | ||
| 287 | ··with_items: | 281 | ··with_items: |
| 288 | ····-·cron | 282 | ····-·cron |
| 289 | ··tags: | 283 | ··tags: |
| 290 | ····-· | 284 | ····-·package_cron_installed |
| 291 | ····-·medium_severity | 285 | ····-·medium_severity |
| 292 | ····-·enable_strategy | 286 | ····-·enable_strategy |
| 293 | ····-·low_complexity | 287 | ····-·low_complexity |
| 294 | ····-·low_disruption | 288 | ····-·low_disruption |
| 295 | ····-·CCE- | 289 | ····-·CCE- |
| 296 | ····-·NIST-800-53-CM-7 | 290 | ····-·NIST-800-53-CM-7 |
| 291 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4920">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4920"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_cron | ||
| 292 | class·install_cron·{ | ||
| 293 | ··package·{·'cron': | ||
| 294 | ····ensure·=>·'installed', | ||
| 295 | ··} | ||
| 296 | } | ||
| 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4923"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service | 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4923"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service |
| 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 299 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 299 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 300 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 300 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 301 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4929">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4929"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·auditd·is·installed | 301 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4929">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4929"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·auditd·is·installed |
| 302 | ··package: | 302 | ··package: |
| 303 | ····name="{{item}}" | 303 | ····name="{{item}}" |
| Offset 373, 37 lines modified | Offset 373, 15 lines modified | ||
| 373 | consideration·in·the·OpenSSH·configuration·writing | 373 | consideration·in·the·OpenSSH·configuration·writing |
| 374 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for | 374 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Ubuntu·package·for |
| 375 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 375 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 376 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 376 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 377 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 377 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 378 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 378 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 379 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 379 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 380 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 380 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5015"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 381 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 382 | permitted.·The·default·setting·in | ||
| 383 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 384 | verified·by·ensuring·that·the·following | ||
| 385 | line·appears: | ||
| 386 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 387 | result·in·security·vulnerabilities·and | ||
| 388 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 389 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 390 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 391 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 392 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 393 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 394 | <code>/etc/ssh/sshd_config</code>: | ||
| 395 | <pre>PermitEmptyPasswords·no</pre> | ||
| 396 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 397 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 398 | remote·login·via·SSH·will·require·a·password, | ||
| 399 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 400 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 401 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 402 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5044"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 403 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 381 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 404 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 382 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 405 | <br><br> | 383 | <br><br> |
| 406 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 384 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| Max diff block lines reached; 45838/71199 bytes (64.38%) of diff not shown. | |||
| Offset 106, 44 lines modified | Offset 106, 44 lines modified | ||
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| 112 | ···· | 112 | ···· |
| 113 | ····-·name:·Ensure· | 113 | ····-·name:·Ensure·ntp·is·installed |
| 114 | ······package: | 114 | ······package: |
| 115 | ········name="{{item}}" | 115 | ········name="{{item}}" |
| 116 | ········state=present | 116 | ········state=present |
| 117 | ······with_items: | 117 | ······with_items: |
| 118 | ········-· | 118 | ········-·ntp |
| 119 | ······tags: | 119 | ······tags: |
| 120 | ········-·package_ | 120 | ········-·package_ntp_installed |
| 121 | ········-· | 121 | ········-·high_severity |
| 122 | ········-·enable_strategy | 122 | ········-·enable_strategy |
| 123 | ········-·low_complexity | 123 | ········-·low_complexity |
| 124 | ········-·low_disruption | 124 | ········-·low_disruption |
| 125 | ········-·CCE- | 125 | ········-·CCE- |
| 126 | ········-·NIST-800-53- | 126 | ········-·NIST-800-53-AU-8(1) |
| 127 | ········-·PCI-DSS-Req-10.4 | ||
| 127 | ···· | 128 | ···· |
| 128 | ····-·name:·Ensure· | 129 | ····-·name:·Ensure·cron·is·installed |
| 129 | ······package: | 130 | ······package: |
| 130 | ········name="{{item}}" | 131 | ········name="{{item}}" |
| 131 | ········state=present | 132 | ········state=present |
| 132 | ······with_items: | 133 | ······with_items: |
| 133 | ········-· | 134 | ········-·cron |
| 134 | ······tags: | 135 | ······tags: |
| 135 | ········-·package_ | 136 | ········-·package_cron_installed |
| 136 | ········-· | 137 | ········-·medium_severity |
| 137 | ········-·enable_strategy | 138 | ········-·enable_strategy |
| 138 | ········-·low_complexity | 139 | ········-·low_complexity |
| 139 | ········-·low_disruption | 140 | ········-·low_disruption |
| 140 | ········-·CCE- | 141 | ········-·CCE- |
| 141 | ········-·NIST-800-53- | 142 | ········-·NIST-800-53-CM-7 |
| 142 | ········-·PCI-DSS-Req-10.4 | ||
| 143 | ···· | 143 | ···· |
| 144 | ····-·name:·Ensure·auditd·is·installed | 144 | ····-·name:·Ensure·auditd·is·installed |
| 145 | ······package: | 145 | ······package: |
| 146 | ········name="{{item}}" | 146 | ········name="{{item}}" |
| 147 | ········state=present | 147 | ········state=present |
| 148 | ······with_items: | 148 | ······with_items: |
| 149 | ········-·auditd | 149 | ········-·auditd |
| Offset 106, 44 lines modified | Offset 106, 44 lines modified | ||
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| 112 | ···· | 112 | ···· |
| 113 | ····-·name:·Ensure· | 113 | ····-·name:·Ensure·ntp·is·installed |
| 114 | ······package: | 114 | ······package: |
| 115 | ········name="{{item}}" | 115 | ········name="{{item}}" |
| 116 | ········state=present | 116 | ········state=present |
| 117 | ······with_items: | 117 | ······with_items: |
| 118 | ········-· | 118 | ········-·ntp |
| 119 | ······tags: | 119 | ······tags: |
| 120 | ········-·package_ | 120 | ········-·package_ntp_installed |
| 121 | ········-· | 121 | ········-·high_severity |
| 122 | ········-·enable_strategy | 122 | ········-·enable_strategy |
| 123 | ········-·low_complexity | 123 | ········-·low_complexity |
| 124 | ········-·low_disruption | 124 | ········-·low_disruption |
| 125 | ········-·CCE- | 125 | ········-·CCE- |
| 126 | ········-·NIST-800-53- | 126 | ········-·NIST-800-53-AU-8(1) |
| 127 | ········-·PCI-DSS-Req-10.4 | ||
| 127 | ···· | 128 | ···· |
| 128 | ····-·name:·Ensure· | 129 | ····-·name:·Ensure·cron·is·installed |
| 129 | ······package: | 130 | ······package: |
| 130 | ········name="{{item}}" | 131 | ········name="{{item}}" |
| 131 | ········state=present | 132 | ········state=present |
| 132 | ······with_items: | 133 | ······with_items: |
| 133 | ········-· | 134 | ········-·cron |
| 134 | ······tags: | 135 | ······tags: |
| 135 | ········-·package_ | 136 | ········-·package_cron_installed |
| 136 | ········-· | 137 | ········-·medium_severity |
| 137 | ········-·enable_strategy | 138 | ········-·enable_strategy |
| 138 | ········-·low_complexity | 139 | ········-·low_complexity |
| 139 | ········-·low_disruption | 140 | ········-·low_disruption |
| 140 | ········-·CCE- | 141 | ········-·CCE- |
| 141 | ········-·NIST-800-53- | 142 | ········-·NIST-800-53-CM-7 |
| 142 | ········-·PCI-DSS-Req-10.4 | ||
| 143 | ···· | 143 | ···· |
| 144 | ····-·name:·Ensure·auditd·is·installed | 144 | ····-·name:·Ensure·auditd·is·installed |
| 145 | ······package: | 145 | ······package: |
| 146 | ········name="{{item}}" | 146 | ········name="{{item}}" |
| 147 | ········state=present | 147 | ········state=present |
| 148 | ······with_items: | 148 | ······with_items: |
| 149 | ········-·auditd | 149 | ········-·auditd |
| Offset 108, 22 lines modified | Offset 108, 23 lines modified | ||
| 108 | ········-·disable_strategy | 108 | ········-·disable_strategy |
| 109 | ········-·low_complexity | 109 | ········-·low_complexity |
| 110 | ········-·low_disruption | 110 | ········-·low_disruption |
| 111 | ········-·CCE- | 111 | ········-·CCE- |
| 112 | ········-·NIST-800-53-AC-17(8) | 112 | ········-·NIST-800-53-AC-17(8) |
| 113 | ········-·NIST-800-53-CM-7 | 113 | ········-·NIST-800-53-CM-7 |
| 114 | ···· | 114 | ···· |
| 115 | ····-·name:·En | 115 | ····-·name:·Enable·service·cron |
| 116 | ······ | 116 | ······service: |
| 117 | ········name="{{item}}" | 117 | ········name="{{item}}" |
| 118 | ········ | 118 | ········enabled="yes" |
| 119 | ········state="started" | ||
| 119 | ······with_items: | 120 | ······with_items: |
| 120 | ········-·cron | 121 | ········-·cron |
| 121 | ······tags: | 122 | ······tags: |
| 122 | ········-· | 123 | ········-·service_cron_enabled |
| 123 | ········-·medium_severity | 124 | ········-·medium_severity |
| 124 | ········-·enable_strategy | 125 | ········-·enable_strategy |
| 125 | ········-·low_complexity | 126 | ········-·low_complexity |
| 126 | ········-·low_disruption | 127 | ········-·low_disruption |
| 127 | ········-·CCE- | 128 | ········-·CCE- |
| 128 | ········-·NIST-800-53-CM-7 | 129 | ········-·NIST-800-53-CM-7 |
| 129 | ···· | 130 | ···· |
| Offset 139, 23 lines modified | Offset 140, 22 lines modified | ||
| 139 | ········-·enable_strategy | 140 | ········-·enable_strategy |
| 140 | ········-·low_complexity | 141 | ········-·low_complexity |
| 141 | ········-·low_disruption | 142 | ········-·low_disruption |
| 142 | ········-·CCE- | 143 | ········-·CCE- |
| 143 | ········-·NIST-800-53-AU-8(1) | 144 | ········-·NIST-800-53-AU-8(1) |
| 144 | ········-·PCI-DSS-Req-10.4 | 145 | ········-·PCI-DSS-Req-10.4 |
| 145 | ···· | 146 | ···· |
| 146 | ····-·name:·En | 147 | ····-·name:·Ensure·cron·is·installed |
| 147 | ······ | 148 | ······package: |
| 148 | ········name="{{item}}" | 149 | ········name="{{item}}" |
| 149 | ········ | 150 | ········state=present |
| 150 | ········state="started" | ||
| 151 | ······with_items: | 151 | ······with_items: |
| 152 | ········-·cron | 152 | ········-·cron |
| 153 | ······tags: | 153 | ······tags: |
| 154 | ········-· | 154 | ········-·package_cron_installed |
| 155 | ········-·medium_severity | 155 | ········-·medium_severity |
| 156 | ········-·enable_strategy | 156 | ········-·enable_strategy |
| 157 | ········-·low_complexity | 157 | ········-·low_complexity |
| 158 | ········-·low_disruption | 158 | ········-·low_disruption |
| 159 | ········-·CCE- | 159 | ········-·CCE- |
| 160 | ········-·NIST-800-53-CM-7 | 160 | ········-·NIST-800-53-CM-7 |
| 161 | ···· | 161 | ···· |
| Offset 106, 44 lines modified | Offset 106, 44 lines modified | ||
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| 112 | ···· | 112 | ···· |
| 113 | ····-·name:·Ensure· | 113 | ····-·name:·Ensure·ntp·is·installed |
| 114 | ······package: | 114 | ······package: |
| 115 | ········name="{{item}}" | 115 | ········name="{{item}}" |
| 116 | ········state=present | 116 | ········state=present |
| 117 | ······with_items: | 117 | ······with_items: |
| 118 | ········-· | 118 | ········-·ntp |
| 119 | ······tags: | 119 | ······tags: |
| 120 | ········-·package_ | 120 | ········-·package_ntp_installed |
| 121 | ········-· | 121 | ········-·high_severity |
| 122 | ········-·enable_strategy | 122 | ········-·enable_strategy |
| 123 | ········-·low_complexity | 123 | ········-·low_complexity |
| 124 | ········-·low_disruption | 124 | ········-·low_disruption |
| 125 | ········-·CCE- | 125 | ········-·CCE- |
| 126 | ········-·NIST-800-53- | 126 | ········-·NIST-800-53-AU-8(1) |
| 127 | ········-·PCI-DSS-Req-10.4 | ||
| 127 | ···· | 128 | ···· |
| 128 | ····-·name:·Ensure· | 129 | ····-·name:·Ensure·cron·is·installed |
| 129 | ······package: | 130 | ······package: |
| 130 | ········name="{{item}}" | 131 | ········name="{{item}}" |
| 131 | ········state=present | 132 | ········state=present |
| 132 | ······with_items: | 133 | ······with_items: |
| 133 | ········-· | 134 | ········-·cron |
| 134 | ······tags: | 135 | ······tags: |
| 135 | ········-·package_ | 136 | ········-·package_cron_installed |
| 136 | ········-· | 137 | ········-·medium_severity |
| 137 | ········-·enable_strategy | 138 | ········-·enable_strategy |
| 138 | ········-·low_complexity | 139 | ········-·low_complexity |
| 139 | ········-·low_disruption | 140 | ········-·low_disruption |
| 140 | ········-·CCE- | 141 | ········-·CCE- |
| 141 | ········-·NIST-800-53- | 142 | ········-·NIST-800-53-CM-7 |
| 142 | ········-·PCI-DSS-Req-10.4 | ||
| 143 | ···· | 143 | ···· |
| 144 | ····-·name:·Ensure·auditd·is·installed | 144 | ····-·name:·Ensure·auditd·is·installed |
| 145 | ······package: | 145 | ······package: |
| 146 | ········name="{{item}}" | 146 | ········name="{{item}}" |
| 147 | ········state=present | 147 | ········state=present |
| 148 | ······with_items: | 148 | ······with_items: |
| 149 | ········-·auditd | 149 | ········-·auditd |
| Offset 106, 44 lines modified | Offset 106, 44 lines modified | ||
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| 112 | ···· | 112 | ···· |
| 113 | ····-·name:·Ensure· | 113 | ····-·name:·Ensure·ntp·is·installed |
| 114 | ······package: | 114 | ······package: |
| 115 | ········name="{{item}}" | 115 | ········name="{{item}}" |
| 116 | ········state=present | 116 | ········state=present |
| 117 | ······with_items: | 117 | ······with_items: |
| 118 | ········-· | 118 | ········-·ntp |
| 119 | ······tags: | 119 | ······tags: |
| 120 | ········-·package_ | 120 | ········-·package_ntp_installed |
| 121 | ········-· | 121 | ········-·high_severity |
| 122 | ········-·enable_strategy | 122 | ········-·enable_strategy |
| 123 | ········-·low_complexity | 123 | ········-·low_complexity |
| 124 | ········-·low_disruption | 124 | ········-·low_disruption |
| 125 | ········-·CCE- | 125 | ········-·CCE- |
| 126 | ········-·NIST-800-53- | 126 | ········-·NIST-800-53-AU-8(1) |
| 127 | ········-·PCI-DSS-Req-10.4 | ||
| 127 | ···· | 128 | ···· |
| 128 | ····-·name:·Ensure· | 129 | ····-·name:·Ensure·cron·is·installed |
| 129 | ······package: | 130 | ······package: |
| 130 | ········name="{{item}}" | 131 | ········name="{{item}}" |
| 131 | ········state=present | 132 | ········state=present |
| 132 | ······with_items: | 133 | ······with_items: |
| 133 | ········-· | 134 | ········-·cron |
| 134 | ······tags: | 135 | ······tags: |
| 135 | ········-·package_ | 136 | ········-·package_cron_installed |
| 136 | ········-· | 137 | ········-·medium_severity |
| 137 | ········-·enable_strategy | 138 | ········-·enable_strategy |
| 138 | ········-·low_complexity | 139 | ········-·low_complexity |
| 139 | ········-·low_disruption | 140 | ········-·low_disruption |
| 140 | ········-·CCE- | 141 | ········-·CCE- |
| 141 | ········-·NIST-800-53- | 142 | ········-·NIST-800-53-CM-7 |
| 142 | ········-·PCI-DSS-Req-10.4 | ||
| 143 | ···· | 143 | ···· |
| 144 | ····-·name:·Ensure·auditd·is·installed | 144 | ····-·name:·Ensure·auditd·is·installed |
| 145 | ······package: | 145 | ······package: |
| 146 | ········name="{{item}}" | 146 | ········name="{{item}}" |
| 147 | ········state=present | 147 | ········state=present |
| 148 | ······with_items: | 148 | ······with_items: |
| 149 | ········-·auditd | 149 | ········-·auditd |
| Offset 108, 22 lines modified | Offset 108, 23 lines modified | ||
| 108 | ········-·disable_strategy | 108 | ········-·disable_strategy |
| 109 | ········-·low_complexity | 109 | ········-·low_complexity |
| 110 | ········-·low_disruption | 110 | ········-·low_disruption |
| 111 | ········-·CCE- | 111 | ········-·CCE- |
| 112 | ········-·NIST-800-53-AC-17(8) | 112 | ········-·NIST-800-53-AC-17(8) |
| 113 | ········-·NIST-800-53-CM-7 | 113 | ········-·NIST-800-53-CM-7 |
| 114 | ···· | 114 | ···· |
| 115 | ····-·name:·En | 115 | ····-·name:·Enable·service·cron |
| 116 | ······ | 116 | ······service: |
| 117 | ········name="{{item}}" | 117 | ········name="{{item}}" |
| 118 | ········ | 118 | ········enabled="yes" |
| 119 | ········state="started" | ||
| 119 | ······with_items: | 120 | ······with_items: |
| 120 | ········-·cron | 121 | ········-·cron |
| 121 | ······tags: | 122 | ······tags: |
| 122 | ········-· | 123 | ········-·service_cron_enabled |
| 123 | ········-·medium_severity | 124 | ········-·medium_severity |
| 124 | ········-·enable_strategy | 125 | ········-·enable_strategy |
| 125 | ········-·low_complexity | 126 | ········-·low_complexity |
| 126 | ········-·low_disruption | 127 | ········-·low_disruption |
| 127 | ········-·CCE- | 128 | ········-·CCE- |
| 128 | ········-·NIST-800-53-CM-7 | 129 | ········-·NIST-800-53-CM-7 |
| 129 | ···· | 130 | ···· |
| Offset 139, 23 lines modified | Offset 140, 22 lines modified | ||
| 139 | ········-·enable_strategy | 140 | ········-·enable_strategy |
| 140 | ········-·low_complexity | 141 | ········-·low_complexity |
| 141 | ········-·low_disruption | 142 | ········-·low_disruption |
| 142 | ········-·CCE- | 143 | ········-·CCE- |
| 143 | ········-·NIST-800-53-AU-8(1) | 144 | ········-·NIST-800-53-AU-8(1) |
| 144 | ········-·PCI-DSS-Req-10.4 | 145 | ········-·PCI-DSS-Req-10.4 |
| 145 | ···· | 146 | ···· |
| 146 | ····-·name:·En | 147 | ····-·name:·Ensure·cron·is·installed |
| 147 | ······ | 148 | ······package: |
| 148 | ········name="{{item}}" | 149 | ········name="{{item}}" |
| 149 | ········ | 150 | ········state=present |
| 150 | ········state="started" | ||
| 151 | ······with_items: | 151 | ······with_items: |
| 152 | ········-·cron | 152 | ········-·cron |
| 153 | ······tags: | 153 | ······tags: |
| 154 | ········-· | 154 | ········-·package_cron_installed |
| 155 | ········-·medium_severity | 155 | ········-·medium_severity |
| 156 | ········-·enable_strategy | 156 | ········-·enable_strategy |
| 157 | ········-·low_complexity | 157 | ········-·low_complexity |
| 158 | ········-·low_disruption | 158 | ········-·low_disruption |
| 159 | ········-·CCE- | 159 | ········-·CCE- |
| 160 | ········-·NIST-800-53-CM-7 | 160 | ········-·NIST-800-53-CM-7 |
| 161 | ···· | 161 | ···· |
| Offset 90, 40 lines modified | Offset 90, 40 lines modified | ||
| 90 | #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed' | 90 | #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed' |
| 91 | ############################################################################### | 91 | ############################################################################### |
| 92 | (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'") | 92 | (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'") |
| 93 | #·FIX·FOR·THIS·RULE·IS·MISSING | 93 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 94 | #·END·fix·for·'package_ntp_installed' | 94 | #·END·fix·for·'package_ntp_installed' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | #·BEGIN·fix·(7·/·32)·for·'sshd_ | 96 | #·BEGIN·fix·(7·/·32)·for·'sshd_set_idle_timeout' |
| 97 | ############################################################################### | 97 | ############################################################################### |
| 98 | (>&2·echo·"Remediating·rule·7/32:·'sshd_ | 98 | (>&2·echo·"Remediating·rule·7/32:·'sshd_set_idle_timeout'") |
| 99 | #·FIX·FOR·THIS·RULE·IS·MISSING | 99 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 100 | #·END·fix·for·'sshd_ | 100 | #·END·fix·for·'sshd_set_idle_timeout' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | #·BEGIN·fix·(8·/·32)·for·'sshd_ | 102 | #·BEGIN·fix·(8·/·32)·for·'sshd_allow_only_protocol2' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule·8/32:·'sshd_ | 104 | (>&2·echo·"Remediating·rule·8/32:·'sshd_allow_only_protocol2'") |
| 105 | #·FIX·FOR·THIS·RULE·IS·MISSING | 105 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 106 | #·END·fix·for·'sshd_ | 106 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 107 | ############################################################################### | 107 | ############################################################################### |
| 108 | #·BEGIN·fix·(9·/·32)·for·'sshd_set_ | 108 | #·BEGIN·fix·(9·/·32)·for·'sshd_set_keepalive' |
| 109 | ############################################################################### | 109 | ############################################################################### |
| 110 | (>&2·echo·"Remediating·rule·9/32:·'sshd_set_ | 110 | (>&2·echo·"Remediating·rule·9/32:·'sshd_set_keepalive'") |
| 111 | #·FIX·FOR·THIS·RULE·IS·MISSING | 111 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 112 | #·END·fix·for·'sshd_set_ | 112 | #·END·fix·for·'sshd_set_keepalive' |
| 113 | ############################################################################### | 113 | ############################################################################### |
| 114 | #·BEGIN·fix·(10·/·32)·for·'sshd_set_ | 114 | #·BEGIN·fix·(10·/·32)·for·'sshd_disable_empty_passwords' |
| 115 | ############################################################################### | 115 | ############################################################################### |
| 116 | (>&2·echo·"Remediating·rule·10/32:·'sshd_set_ | 116 | (>&2·echo·"Remediating·rule·10/32:·'sshd_disable_empty_passwords'") |
| 117 | #·FIX·FOR·THIS·RULE·IS·MISSING | 117 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 118 | #·END·fix·for·'sshd_set_ | 118 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login' | 120 | #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login' |
| 121 | ############################################################################### | 121 | ############################################################################### |
| 122 | (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'") | 122 | (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'") |
| 123 | #·FIX·FOR·THIS·RULE·IS·MISSING | 123 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 124 | #·END·fix·for·'sshd_disable_root_login' | 124 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 132, 75 lines modified | Offset 132, 75 lines modified | ||
| 132 | #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated' | 132 | #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'") | 134 | (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'") |
| 135 | #·FIX·FOR·THIS·RULE·IS·MISSING | 135 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 136 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 136 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| 137 | ############################################################################### | 137 | ############################################################################### |
| 138 | #·BEGIN·fix·(13·/·32)·for·'s | 138 | #·BEGIN·fix·(13·/·32)·for·'rsyslog_files_permissions' |
| 139 | ############################################################################### | 139 | ############################################################################### |
| 140 | (>&2·echo·"Remediating·rule·13/32:·'s | 140 | (>&2·echo·"Remediating·rule·13/32:·'rsyslog_files_permissions'") |
| 141 | #·FIX·FOR·THIS·RULE·IS·MISSING | 141 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 142 | #·END·fix·for·'s | 142 | #·END·fix·for·'rsyslog_files_permissions' |
| 143 | ############################################################################### | 143 | ############################################################################### |
| 144 | #·BEGIN·fix·(14·/·32)·for·'s | 144 | #·BEGIN·fix·(14·/·32)·for·'rsyslog_files_ownership' |
| 145 | ############################################################################### | 145 | ############################################################################### |
| 146 | (>&2·echo·"Remediating·rule·14/32:·'s | 146 | (>&2·echo·"Remediating·rule·14/32:·'rsyslog_files_ownership'") |
| 147 | #·FIX·FOR·THIS·RULE·IS·MISSING | 147 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 148 | #·END·fix·for·'s | 148 | #·END·fix·for·'rsyslog_files_ownership' |
| 149 | ############################################################################### | 149 | ############################################################################### |
| 150 | #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_groupownership' | 150 | #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_groupownership' |
| 151 | ############################################################################### | 151 | ############################################################################### |
| 152 | (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_groupownership'") | 152 | (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_groupownership'") |
| 153 | #·FIX·FOR·THIS·RULE·IS·MISSING | 153 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 154 | #·END·fix·for·'rsyslog_files_groupownership' | 154 | #·END·fix·for·'rsyslog_files_groupownership' |
| 155 | ############################################################################### | 155 | ############################################################################### |
| 156 | #·BEGIN·fix·(16·/·32)·for·' | 156 | #·BEGIN·fix·(16·/·32)·for·'ensure_logrotate_activated' |
| 157 | ############################################################################### | 157 | ############################################################################### |
| 158 | (>&2·echo·"Remediating·rule·16/32:·' | 158 | (>&2·echo·"Remediating·rule·16/32:·'ensure_logrotate_activated'") |
| 159 | #·FIX·FOR·THIS·RULE·IS·MISSING | 159 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 160 | #·END·fix·for·' | 160 | #·END·fix·for·'ensure_logrotate_activated' |
| 161 | ############################################################################### | 161 | ############################################################################### |
| 162 | #·BEGIN·fix·(17·/·32)·for·' | 162 | #·BEGIN·fix·(17·/·32)·for·'sudo_remove_no_authenticate' |
| 163 | ############################################################################### | 163 | ############################################################################### |
| 164 | (>&2·echo·"Remediating·rule·17/32:·' | 164 | (>&2·echo·"Remediating·rule·17/32:·'sudo_remove_no_authenticate'") |
| 165 | #·FIX·FOR·THIS·RULE·IS·MISSING | 165 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 166 | #·END·fix·for·' | 166 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 167 | ############################################################################### | 167 | ############################################################################### |
| 168 | #·BEGIN·fix·(18·/·32)·for·' | 168 | #·BEGIN·fix·(18·/·32)·for·'sudo_remove_nopasswd' |
| 169 | ############################################################################### | 169 | ############################################################################### |
| 170 | (>&2·echo·"Remediating·rule·18/32:·' | 170 | (>&2·echo·"Remediating·rule·18/32:·'sudo_remove_nopasswd'") |
| 171 | #·FIX·FOR·THIS·RULE·IS·MISSING | 171 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 172 | #·END·fix·for·' | 172 | #·END·fix·for·'sudo_remove_nopasswd' |
| 173 | ############################################################################### | 173 | ############################################################################### |
| 174 | #·BEGIN·fix·(19·/·32)·for·'partition_for_home' | 174 | #·BEGIN·fix·(19·/·32)·for·'partition_for_home' |
| 175 | ############################################################################### | 175 | ############################################################################### |
| 176 | (>&2·echo·"Remediating·rule·19/32:·'partition_for_home'") | 176 | (>&2·echo·"Remediating·rule·19/32:·'partition_for_home'") |
| 177 | #·FIX·FOR·THIS·RULE·IS·MISSING | 177 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 178 | #·END·fix·for·'partition_for_home' | 178 | #·END·fix·for·'partition_for_home' |
| 179 | ############################################################################### | 179 | ############################################################################### |
| 180 | #·BEGIN·fix·(20·/·32)·for·'partition_for_ | 180 | #·BEGIN·fix·(20·/·32)·for·'partition_for_var' |
| 181 | ############################################################################### | 181 | ############################################################################### |
| 182 | (>&2·echo·"Remediating·rule·20/32:·'partition_for_ | 182 | (>&2·echo·"Remediating·rule·20/32:·'partition_for_var'") |
| 183 | #·FIX·FOR·THIS·RULE·IS·MISSING | 183 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 184 | #·END·fix·for·'partition_for_ | 184 | #·END·fix·for·'partition_for_var' |
| 185 | ############################################################################### | 185 | ############################################################################### |
| 186 | #·BEGIN·fix·(21·/·32)·for·'partition_for_ | 186 | #·BEGIN·fix·(21·/·32)·for·'partition_for_tmp' |
| 187 | ############################################################################### | 187 | ############################################################################### |
| 188 | (>&2·echo·"Remediating·rule·21/32:·'partition_for_ | 188 | (>&2·echo·"Remediating·rule·21/32:·'partition_for_tmp'") |
| 189 | #·FIX·FOR·THIS·RULE·IS·MISSING | 189 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 190 | #·END·fix·for·'partition_for_ | 190 | #·END·fix·for·'partition_for_tmp' |
| 191 | ############################################################################### | 191 | ############################################################################### |
| 192 | #·BEGIN·fix·(22·/·32)·for·'partition_for_var_log_audit' | 192 | #·BEGIN·fix·(22·/·32)·for·'partition_for_var_log_audit' |
| 193 | ############################################################################### | 193 | ############################################################################### |
| 194 | (>&2·echo·"Remediating·rule·22/32:·'partition_for_var_log_audit'") | 194 | (>&2·echo·"Remediating·rule·22/32:·'partition_for_var_log_audit'") |
| 195 | #·FIX·FOR·THIS·RULE·IS·MISSING | 195 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 196 | #·END·fix·for·'partition_for_var_log_audit' | 196 | #·END·fix·for·'partition_for_var_log_audit' |
| Offset 83, 26 lines modified | Offset 83, 26 lines modified | ||
| 83 | #» ···remediation·AFTER·testing·on·a·non-production | 83 | #» ···remediation·AFTER·testing·on·a·non-production |
| 84 | #» ···system! | 84 | #» ···system! |
| 85 | apt-get·remove·--purge·telnetd | 85 | apt-get·remove·--purge·telnetd |
| 86 | #·END·fix·for·'package_telnetd_removed' | 86 | #·END·fix·for·'package_telnetd_removed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | #·BEGIN·fix·(6·/·37)·for·'package_ | 88 | #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | (>&2·echo·"Remediating·rule·6/37:·'package_ | 90 | (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'") |
| 91 | #·FIX·FOR·THIS·RULE·IS·MISSING | 91 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 92 | #·END·fix·for·'package_ | 92 | #·END·fix·for·'package_ntp_installed' |
| 93 | ############################################################################### | 93 | ############################################################################### |
| 94 | #·BEGIN·fix·(7·/·37)·for·'package_ | 94 | #·BEGIN·fix·(7·/·37)·for·'package_cron_installed' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | (>&2·echo·"Remediating·rule·7/37:·'package_ | 96 | (>&2·echo·"Remediating·rule·7/37:·'package_cron_installed'") |
| 97 | #·FIX·FOR·THIS·RULE·IS·MISSING | 97 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 98 | #·END·fix·for·'package_ | 98 | #·END·fix·for·'package_cron_installed' |
| 99 | ############################################################################### | 99 | ############################################################################### |
| 100 | #·BEGIN·fix·(8·/·37)·for·'package_auditd_installed' | 100 | #·BEGIN·fix·(8·/·37)·for·'package_auditd_installed' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | (>&2·echo·"Remediating·rule·8/37:·'package_auditd_installed'") | 102 | (>&2·echo·"Remediating·rule·8/37:·'package_auditd_installed'") |
| 103 | #·FIX·FOR·THIS·RULE·IS·MISSING | 103 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 104 | #·END·fix·for·'package_auditd_installed' | 104 | #·END·fix·for·'package_auditd_installed' |
| Offset 118, 40 lines modified | Offset 118, 40 lines modified | ||
| 118 | #·BEGIN·fix·(10·/·37)·for·'service_auditd_enabled' | 118 | #·BEGIN·fix·(10·/·37)·for·'service_auditd_enabled' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | (>&2·echo·"Remediating·rule·10/37:·'service_auditd_enabled'") | 120 | (>&2·echo·"Remediating·rule·10/37:·'service_auditd_enabled'") |
| 121 | #·FIX·FOR·THIS·RULE·IS·MISSING | 121 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 122 | #·END·fix·for·'service_auditd_enabled' | 122 | #·END·fix·for·'service_auditd_enabled' |
| 123 | ############################################################################### | 123 | ############################################################################### |
| 124 | #·BEGIN·fix·(11·/·37)·for·'sshd_ | 124 | #·BEGIN·fix·(11·/·37)·for·'sshd_set_idle_timeout' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | (>&2·echo·"Remediating·rule·11/37:·'sshd_ | 126 | (>&2·echo·"Remediating·rule·11/37:·'sshd_set_idle_timeout'") |
| 127 | #·FIX·FOR·THIS·RULE·IS·MISSING | 127 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 128 | #·END·fix·for·'sshd_ | 128 | #·END·fix·for·'sshd_set_idle_timeout' |
| 129 | ############################################################################### | 129 | ############################################################################### |
| 130 | #·BEGIN·fix·(12·/·37)·for·'sshd_ | 130 | #·BEGIN·fix·(12·/·37)·for·'sshd_allow_only_protocol2' |
| 131 | ############################################################################### | 131 | ############################################################################### |
| 132 | (>&2·echo·"Remediating·rule·12/37:·'sshd_ | 132 | (>&2·echo·"Remediating·rule·12/37:·'sshd_allow_only_protocol2'") |
| 133 | #·FIX·FOR·THIS·RULE·IS·MISSING | 133 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 134 | #·END·fix·for·'sshd_ | 134 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | #·BEGIN·fix·(13·/·37)·for·'sshd_set_ | 136 | #·BEGIN·fix·(13·/·37)·for·'sshd_set_keepalive' |
| 137 | ############################################################################### | 137 | ############################################################################### |
| 138 | (>&2·echo·"Remediating·rule·13/37:·'sshd_set_ | 138 | (>&2·echo·"Remediating·rule·13/37:·'sshd_set_keepalive'") |
| 139 | #·FIX·FOR·THIS·RULE·IS·MISSING | 139 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 140 | #·END·fix·for·'sshd_set_ | 140 | #·END·fix·for·'sshd_set_keepalive' |
| 141 | ############################################################################### | 141 | ############################################################################### |
| 142 | #·BEGIN·fix·(14·/·37)·for·'sshd_set_ | 142 | #·BEGIN·fix·(14·/·37)·for·'sshd_disable_empty_passwords' |
| 143 | ############################################################################### | 143 | ############################################################################### |
| 144 | (>&2·echo·"Remediating·rule·14/37:·'sshd_set_ | 144 | (>&2·echo·"Remediating·rule·14/37:·'sshd_disable_empty_passwords'") |
| 145 | #·FIX·FOR·THIS·RULE·IS·MISSING | 145 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 146 | #·END·fix·for·'sshd_set_ | 146 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 147 | ############################################################################### | 147 | ############################################################################### |
| 148 | #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login' | 148 | #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login' |
| 149 | ############################################################################### | 149 | ############################################################################### |
| 150 | (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'") | 150 | (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'") |
| 151 | #·FIX·FOR·THIS·RULE·IS·MISSING | 151 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 152 | #·END·fix·for·'sshd_disable_root_login' | 152 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 167, 75 lines modified | Offset 167, 75 lines modified | ||
| 167 | #·BEGIN·fix·(17·/·37)·for·'grub2_enable_iommu_force' | 167 | #·BEGIN·fix·(17·/·37)·for·'grub2_enable_iommu_force' |
| 168 | ############################################################################### | 168 | ############################################################################### |
| 169 | (>&2·echo·"Remediating·rule·17/37:·'grub2_enable_iommu_force'") | 169 | (>&2·echo·"Remediating·rule·17/37:·'grub2_enable_iommu_force'") |
| 170 | #·FIX·FOR·THIS·RULE·IS·MISSING | 170 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 171 | #·END·fix·for·'grub2_enable_iommu_force' | 171 | #·END·fix·for·'grub2_enable_iommu_force' |
| 172 | ############################################################################### | 172 | ############################################################################### |
| 173 | #·BEGIN·fix·(18·/·37)·for·'s | 173 | #·BEGIN·fix·(18·/·37)·for·'rsyslog_files_permissions' |
| 174 | ############################################################################### | 174 | ############################################################################### |
| 175 | (>&2·echo·"Remediating·rule·18/37:·'s | 175 | (>&2·echo·"Remediating·rule·18/37:·'rsyslog_files_permissions'") |
| 176 | #·FIX·FOR·THIS·RULE·IS·MISSING | 176 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 177 | #·END·fix·for·'s | 177 | #·END·fix·for·'rsyslog_files_permissions' |
| 178 | ############################################################################### | 178 | ############################################################################### |
| 179 | #·BEGIN·fix·(19·/·37)·for·'s | 179 | #·BEGIN·fix·(19·/·37)·for·'rsyslog_files_ownership' |
| 180 | ############################################################################### | 180 | ############################################################################### |
| 181 | (>&2·echo·"Remediating·rule·19/37:·'s | 181 | (>&2·echo·"Remediating·rule·19/37:·'rsyslog_files_ownership'") |
| 182 | #·FIX·FOR·THIS·RULE·IS·MISSING | 182 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 183 | #·END·fix·for·'s | 183 | #·END·fix·for·'rsyslog_files_ownership' |
| 184 | ############################################################################### | 184 | ############################################################################### |
| 185 | #·BEGIN·fix·(20·/·37)·for·'rsyslog_files_groupownership' | 185 | #·BEGIN·fix·(20·/·37)·for·'rsyslog_files_groupownership' |
| 186 | ############################################################################### | 186 | ############################################################################### |
| 187 | (>&2·echo·"Remediating·rule·20/37:·'rsyslog_files_groupownership'") | 187 | (>&2·echo·"Remediating·rule·20/37:·'rsyslog_files_groupownership'") |
| 188 | #·FIX·FOR·THIS·RULE·IS·MISSING | 188 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 189 | #·END·fix·for·'rsyslog_files_groupownership' | 189 | #·END·fix·for·'rsyslog_files_groupownership' |
| 190 | ############################################################################### | 190 | ############################################################################### |
| 191 | #·BEGIN·fix·(21·/·37)·for·' | 191 | #·BEGIN·fix·(21·/·37)·for·'ensure_logrotate_activated' |
| 192 | ############################################################################### | 192 | ############################################################################### |
| 193 | (>&2·echo·"Remediating·rule·21/37:·' | 193 | (>&2·echo·"Remediating·rule·21/37:·'ensure_logrotate_activated'") |
| 194 | #·FIX·FOR·THIS·RULE·IS·MISSING | 194 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 195 | #·END·fix·for·' | 195 | #·END·fix·for·'ensure_logrotate_activated' |
| 196 | ############################################################################### | 196 | ############################################################################### |
| 197 | #·BEGIN·fix·(22·/·37)·for·' | 197 | #·BEGIN·fix·(22·/·37)·for·'sudo_remove_no_authenticate' |
| 198 | ############################################################################### | 198 | ############################################################################### |
| 199 | (>&2·echo·"Remediating·rule·22/37:·' | 199 | (>&2·echo·"Remediating·rule·22/37:·'sudo_remove_no_authenticate'") |
| 200 | #·FIX·FOR·THIS·RULE·IS·MISSING | 200 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 201 | #·END·fix·for·' | 201 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 202 | ############################################################################### | 202 | ############################################################################### |
| 203 | #·BEGIN·fix·(23·/·37)·for·' | 203 | #·BEGIN·fix·(23·/·37)·for·'sudo_remove_nopasswd' |
| 204 | ############################################################################### | 204 | ############################################################################### |
| 205 | (>&2·echo·"Remediating·rule·23/37:·' | 205 | (>&2·echo·"Remediating·rule·23/37:·'sudo_remove_nopasswd'") |
| 206 | #·FIX·FOR·THIS·RULE·IS·MISSING | 206 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 207 | #·END·fix·for·' | 207 | #·END·fix·for·'sudo_remove_nopasswd' |
| 208 | ############################################################################### | 208 | ############################################################################### |
| 209 | #·BEGIN·fix·(24·/·37)·for·'partition_for_home' | 209 | #·BEGIN·fix·(24·/·37)·for·'partition_for_home' |
| 210 | ############################################################################### | 210 | ############################################################################### |
| 211 | (>&2·echo·"Remediating·rule·24/37:·'partition_for_home'") | 211 | (>&2·echo·"Remediating·rule·24/37:·'partition_for_home'") |
| 212 | #·FIX·FOR·THIS·RULE·IS·MISSING | 212 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 213 | #·END·fix·for·'partition_for_home' | 213 | #·END·fix·for·'partition_for_home' |
| 214 | ############################################################################### | 214 | ############################################################################### |
| 215 | #·BEGIN·fix·(25·/·37)·for·'partition_for_ | 215 | #·BEGIN·fix·(25·/·37)·for·'partition_for_var' |
| 216 | ############################################################################### | 216 | ############################################################################### |
| 217 | (>&2·echo·"Remediating·rule·25/37:·'partition_for_ | 217 | (>&2·echo·"Remediating·rule·25/37:·'partition_for_var'") |
| Max diff block lines reached; 912/9124 bytes (10.00%) of diff not shown. | |||
| Offset 83, 26 lines modified | Offset 83, 26 lines modified | ||
| 83 | #» ···remediation·AFTER·testing·on·a·non-production | 83 | #» ···remediation·AFTER·testing·on·a·non-production |
| 84 | #» ···system! | 84 | #» ···system! |
| 85 | apt-get·remove·--purge·telnetd | 85 | apt-get·remove·--purge·telnetd |
| 86 | #·END·fix·for·'package_telnetd_removed' | 86 | #·END·fix·for·'package_telnetd_removed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | #·BEGIN·fix·(6·/·36)·for·'package_ | 88 | #·BEGIN·fix·(6·/·36)·for·'package_ntp_installed' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | (>&2·echo·"Remediating·rule·6/36:·'package_ | 90 | (>&2·echo·"Remediating·rule·6/36:·'package_ntp_installed'") |
| 91 | #·FIX·FOR·THIS·RULE·IS·MISSING | 91 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 92 | #·END·fix·for·'package_ | 92 | #·END·fix·for·'package_ntp_installed' |
| 93 | ############################################################################### | 93 | ############################################################################### |
| 94 | #·BEGIN·fix·(7·/·36)·for·'package_ | 94 | #·BEGIN·fix·(7·/·36)·for·'package_cron_installed' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | (>&2·echo·"Remediating·rule·7/36:·'package_ | 96 | (>&2·echo·"Remediating·rule·7/36:·'package_cron_installed'") |
| 97 | #·FIX·FOR·THIS·RULE·IS·MISSING | 97 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 98 | #·END·fix·for·'package_ | 98 | #·END·fix·for·'package_cron_installed' |
| 99 | ############################################################################### | 99 | ############################################################################### |
| 100 | #·BEGIN·fix·(8·/·36)·for·'package_auditd_installed' | 100 | #·BEGIN·fix·(8·/·36)·for·'package_auditd_installed' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | (>&2·echo·"Remediating·rule·8/36:·'package_auditd_installed'") | 102 | (>&2·echo·"Remediating·rule·8/36:·'package_auditd_installed'") |
| 103 | #·FIX·FOR·THIS·RULE·IS·MISSING | 103 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 104 | #·END·fix·for·'package_auditd_installed' | 104 | #·END·fix·for·'package_auditd_installed' |
| Offset 118, 40 lines modified | Offset 118, 40 lines modified | ||
| 118 | #·BEGIN·fix·(10·/·36)·for·'service_auditd_enabled' | 118 | #·BEGIN·fix·(10·/·36)·for·'service_auditd_enabled' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | (>&2·echo·"Remediating·rule·10/36:·'service_auditd_enabled'") | 120 | (>&2·echo·"Remediating·rule·10/36:·'service_auditd_enabled'") |
| 121 | #·FIX·FOR·THIS·RULE·IS·MISSING | 121 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 122 | #·END·fix·for·'service_auditd_enabled' | 122 | #·END·fix·for·'service_auditd_enabled' |
| 123 | ############################################################################### | 123 | ############################################################################### |
| 124 | #·BEGIN·fix·(11·/·36)·for·'sshd_ | 124 | #·BEGIN·fix·(11·/·36)·for·'sshd_set_idle_timeout' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | (>&2·echo·"Remediating·rule·11/36:·'sshd_ | 126 | (>&2·echo·"Remediating·rule·11/36:·'sshd_set_idle_timeout'") |
| 127 | #·FIX·FOR·THIS·RULE·IS·MISSING | 127 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 128 | #·END·fix·for·'sshd_ | 128 | #·END·fix·for·'sshd_set_idle_timeout' |
| 129 | ############################################################################### | 129 | ############################################################################### |
| 130 | #·BEGIN·fix·(12·/·36)·for·'sshd_ | 130 | #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2' |
| 131 | ############################################################################### | 131 | ############################################################################### |
| 132 | (>&2·echo·"Remediating·rule·12/36:·'sshd_ | 132 | (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'") |
| 133 | #·FIX·FOR·THIS·RULE·IS·MISSING | 133 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 134 | #·END·fix·for·'sshd_ | 134 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | #·BEGIN·fix·(13·/·36)·for·'sshd_set_ | 136 | #·BEGIN·fix·(13·/·36)·for·'sshd_set_keepalive' |
| 137 | ############################################################################### | 137 | ############################################################################### |
| 138 | (>&2·echo·"Remediating·rule·13/36:·'sshd_set_ | 138 | (>&2·echo·"Remediating·rule·13/36:·'sshd_set_keepalive'") |
| 139 | #·FIX·FOR·THIS·RULE·IS·MISSING | 139 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 140 | #·END·fix·for·'sshd_set_ | 140 | #·END·fix·for·'sshd_set_keepalive' |
| 141 | ############################################################################### | 141 | ############################################################################### |
| 142 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_ | 142 | #·BEGIN·fix·(14·/·36)·for·'sshd_disable_empty_passwords' |
| 143 | ############################################################################### | 143 | ############################################################################### |
| 144 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_ | 144 | (>&2·echo·"Remediating·rule·14/36:·'sshd_disable_empty_passwords'") |
| 145 | #·FIX·FOR·THIS·RULE·IS·MISSING | 145 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 146 | #·END·fix·for·'sshd_set_ | 146 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 147 | ############################################################################### | 147 | ############################################################################### |
| 148 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login' | 148 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login' |
| 149 | ############################################################################### | 149 | ############################################################################### |
| 150 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'") | 150 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'") |
| 151 | #·FIX·FOR·THIS·RULE·IS·MISSING | 151 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 152 | #·END·fix·for·'sshd_disable_root_login' | 152 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 160, 75 lines modified | Offset 160, 75 lines modified | ||
| 160 | #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated' | 160 | #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated' |
| 161 | ############################################################################### | 161 | ############################################################################### |
| 162 | (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'") | 162 | (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'") |
| 163 | #·FIX·FOR·THIS·RULE·IS·MISSING | 163 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| 165 | ############################################################################### | 165 | ############################################################################### |
| 166 | #·BEGIN·fix·(17·/·36)·for·'s | 166 | #·BEGIN·fix·(17·/·36)·for·'rsyslog_files_permissions' |
| 167 | ############################################################################### | 167 | ############################################################################### |
| 168 | (>&2·echo·"Remediating·rule·17/36:·'s | 168 | (>&2·echo·"Remediating·rule·17/36:·'rsyslog_files_permissions'") |
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | 169 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 170 | #·END·fix·for·'s | 170 | #·END·fix·for·'rsyslog_files_permissions' |
| 171 | ############################################################################### | 171 | ############################################################################### |
| 172 | #·BEGIN·fix·(18·/·36)·for·'s | 172 | #·BEGIN·fix·(18·/·36)·for·'rsyslog_files_ownership' |
| 173 | ############################################################################### | 173 | ############################################################################### |
| 174 | (>&2·echo·"Remediating·rule·18/36:·'s | 174 | (>&2·echo·"Remediating·rule·18/36:·'rsyslog_files_ownership'") |
| 175 | #·FIX·FOR·THIS·RULE·IS·MISSING | 175 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 176 | #·END·fix·for·'s | 176 | #·END·fix·for·'rsyslog_files_ownership' |
| 177 | ############################################################################### | 177 | ############################################################################### |
| 178 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_groupownership' | 178 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_groupownership' |
| 179 | ############################################################################### | 179 | ############################################################################### |
| 180 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_groupownership'") | 180 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_groupownership'") |
| 181 | #·FIX·FOR·THIS·RULE·IS·MISSING | 181 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 182 | #·END·fix·for·'rsyslog_files_groupownership' | 182 | #·END·fix·for·'rsyslog_files_groupownership' |
| 183 | ############################################################################### | 183 | ############################################################################### |
| 184 | #·BEGIN·fix·(20·/·36)·for·' | 184 | #·BEGIN·fix·(20·/·36)·for·'ensure_logrotate_activated' |
| 185 | ############################################################################### | 185 | ############################################################################### |
| 186 | (>&2·echo·"Remediating·rule·20/36:·' | 186 | (>&2·echo·"Remediating·rule·20/36:·'ensure_logrotate_activated'") |
| 187 | #·FIX·FOR·THIS·RULE·IS·MISSING | 187 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 188 | #·END·fix·for·' | 188 | #·END·fix·for·'ensure_logrotate_activated' |
| 189 | ############################################################################### | 189 | ############################################################################### |
| 190 | #·BEGIN·fix·(21·/·36)·for·' | 190 | #·BEGIN·fix·(21·/·36)·for·'sudo_remove_no_authenticate' |
| 191 | ############################################################################### | 191 | ############################################################################### |
| 192 | (>&2·echo·"Remediating·rule·21/36:·' | 192 | (>&2·echo·"Remediating·rule·21/36:·'sudo_remove_no_authenticate'") |
| 193 | #·FIX·FOR·THIS·RULE·IS·MISSING | 193 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 194 | #·END·fix·for·' | 194 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 195 | ############################################################################### | 195 | ############################################################################### |
| 196 | #·BEGIN·fix·(22·/·36)·for·' | 196 | #·BEGIN·fix·(22·/·36)·for·'sudo_remove_nopasswd' |
| 197 | ############################################################################### | 197 | ############################################################################### |
| 198 | (>&2·echo·"Remediating·rule·22/36:·' | 198 | (>&2·echo·"Remediating·rule·22/36:·'sudo_remove_nopasswd'") |
| 199 | #·FIX·FOR·THIS·RULE·IS·MISSING | 199 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 200 | #·END·fix·for·' | 200 | #·END·fix·for·'sudo_remove_nopasswd' |
| 201 | ############################################################################### | 201 | ############################################################################### |
| 202 | #·BEGIN·fix·(23·/·36)·for·'partition_for_home' | 202 | #·BEGIN·fix·(23·/·36)·for·'partition_for_home' |
| 203 | ############################################################################### | 203 | ############################################################################### |
| 204 | (>&2·echo·"Remediating·rule·23/36:·'partition_for_home'") | 204 | (>&2·echo·"Remediating·rule·23/36:·'partition_for_home'") |
| 205 | #·FIX·FOR·THIS·RULE·IS·MISSING | 205 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 206 | #·END·fix·for·'partition_for_home' | 206 | #·END·fix·for·'partition_for_home' |
| 207 | ############################################################################### | 207 | ############################################################################### |
| 208 | #·BEGIN·fix·(24·/·36)·for·'partition_for_ | 208 | #·BEGIN·fix·(24·/·36)·for·'partition_for_var' |
| 209 | ############################################################################### | 209 | ############################################################################### |
| 210 | (>&2·echo·"Remediating·rule·24/36:·'partition_for_ | 210 | (>&2·echo·"Remediating·rule·24/36:·'partition_for_var'") |
| Max diff block lines reached; 912/9151 bytes (9.97%) of diff not shown. | |||
| Offset 85, 33 lines modified | Offset 85, 33 lines modified | ||
| 85 | #» ···remediation·AFTER·testing·on·a·non-production | 85 | #» ···remediation·AFTER·testing·on·a·non-production |
| 86 | #» ···system! | 86 | #» ···system! |
| 87 | apt-get·remove·--purge·telnetd | 87 | apt-get·remove·--purge·telnetd |
| 88 | #·END·fix·for·'package_telnetd_removed' | 88 | #·END·fix·for·'package_telnetd_removed' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | #·BEGIN·fix·(6·/·36)·for·' | 90 | #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled' |
| 91 | ############################################################################### | 91 | ############################################################################### |
| 92 | (>&2·echo·"Remediating·rule·6/36:·' | 92 | (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'") |
| 93 | #·FIX·FOR·THIS·RULE·IS·MISSING | 93 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 94 | #·END·fix·for·' | 94 | #·END·fix·for·'service_cron_enabled' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | #·BEGIN·fix·(7·/·36)·for·'package_ntp_installed' | 96 | #·BEGIN·fix·(7·/·36)·for·'package_ntp_installed' |
| 97 | ############################################################################### | 97 | ############################################################################### |
| 98 | (>&2·echo·"Remediating·rule·7/36:·'package_ntp_installed'") | 98 | (>&2·echo·"Remediating·rule·7/36:·'package_ntp_installed'") |
| 99 | #·FIX·FOR·THIS·RULE·IS·MISSING | 99 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 100 | #·END·fix·for·'package_ntp_installed' | 100 | #·END·fix·for·'package_ntp_installed' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | #·BEGIN·fix·(8·/·36)·for·' | 102 | #·BEGIN·fix·(8·/·36)·for·'package_cron_installed' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule·8/36:·' | 104 | (>&2·echo·"Remediating·rule·8/36:·'package_cron_installed'") |
| 105 | #·FIX·FOR·THIS·RULE·IS·MISSING | 105 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 106 | #·END·fix·for·' | 106 | #·END·fix·for·'package_cron_installed' |
| 107 | ############################################################################### | 107 | ############################################################################### |
| 108 | #·BEGIN·fix·(9·/·36)·for·'package_auditd_installed' | 108 | #·BEGIN·fix·(9·/·36)·for·'package_auditd_installed' |
| 109 | ############################################################################### | 109 | ############################################################################### |
| 110 | (>&2·echo·"Remediating·rule·9/36:·'package_auditd_installed'") | 110 | (>&2·echo·"Remediating·rule·9/36:·'package_auditd_installed'") |
| 111 | #·FIX·FOR·THIS·RULE·IS·MISSING | 111 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 112 | #·END·fix·for·'package_auditd_installed' | 112 | #·END·fix·for·'package_auditd_installed' |
| Offset 127, 68 lines modified | Offset 127, 68 lines modified | ||
| 127 | #·BEGIN·fix·(11·/·36)·for·'service_auditd_enabled' | 127 | #·BEGIN·fix·(11·/·36)·for·'service_auditd_enabled' |
| 128 | ############################################################################### | 128 | ############################################################################### |
| 129 | (>&2·echo·"Remediating·rule·11/36:·'service_auditd_enabled'") | 129 | (>&2·echo·"Remediating·rule·11/36:·'service_auditd_enabled'") |
| 130 | #·FIX·FOR·THIS·RULE·IS·MISSING | 130 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 131 | #·END·fix·for·'service_auditd_enabled' | 131 | #·END·fix·for·'service_auditd_enabled' |
| 132 | ############################################################################### | 132 | ############################################################################### |
| 133 | #·BEGIN·fix·(12·/·36)·for·'sshd_ | 133 | #·BEGIN·fix·(12·/·36)·for·'sshd_set_idle_timeout' |
| 134 | ############################################################################### | 134 | ############################################################################### |
| 135 | (>&2·echo·"Remediating·rule·12/36:·'sshd_ | 135 | (>&2·echo·"Remediating·rule·12/36:·'sshd_set_idle_timeout'") |
| 136 | #·FIX·FOR·THIS·RULE·IS·MISSING | 136 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 137 | #·END·fix·for·'sshd_ | 137 | #·END·fix·for·'sshd_set_idle_timeout' |
| 138 | ############################################################################### | 138 | ############################################################################### |
| 139 | #·BEGIN·fix·(13·/·36)·for·'sshd_ | 139 | #·BEGIN·fix·(13·/·36)·for·'sshd_allow_only_protocol2' |
| 140 | ############################################################################### | 140 | ############################################################################### |
| 141 | (>&2·echo·"Remediating·rule·13/36:·'sshd_ | 141 | (>&2·echo·"Remediating·rule·13/36:·'sshd_allow_only_protocol2'") |
| 142 | #·FIX·FOR·THIS·RULE·IS·MISSING | 142 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 143 | #·END·fix·for·'sshd_ | 143 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_ | 145 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_keepalive' |
| 146 | ############################################################################### | 146 | ############################################################################### |
| 147 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_ | 147 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_keepalive'") |
| 148 | #·FIX·FOR·THIS·RULE·IS·MISSING | 148 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 149 | #·END·fix·for·'sshd_set_ | 149 | #·END·fix·for·'sshd_set_keepalive' |
| 150 | ############################################################################### | 150 | ############################################################################### |
| 151 | #·BEGIN·fix·(15·/·36)·for·'sshd_set_ | 151 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_empty_passwords' |
| 152 | ############################################################################### | 152 | ############################################################################### |
| 153 | (>&2·echo·"Remediating·rule·15/36:·'sshd_set_ | 153 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_empty_passwords'") |
| 154 | #·FIX·FOR·THIS·RULE·IS·MISSING | 154 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 155 | #·END·fix·for·'sshd_set_ | 155 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 156 | ############################################################################### | 156 | ############################################################################### |
| 157 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' | 157 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' |
| 158 | ############################################################################### | 158 | ############################################################################### |
| 159 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") | 159 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") |
| 160 | #·FIX·FOR·THIS·RULE·IS·MISSING | 160 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 161 | #·END·fix·for·'sshd_disable_root_login' | 161 | #·END·fix·for·'sshd_disable_root_login' |
| 162 | ############################################################################### | 162 | ############################################################################### |
| 163 | #·BEGIN·fix·(17·/·36)·for·'rsyslog_files_ | 163 | #·BEGIN·fix·(17·/·36)·for·'rsyslog_files_permissions' |
| 164 | ############################################################################### | 164 | ############################################################################### |
| 165 | (>&2·echo·"Remediating·rule·17/36:·'rsyslog_files_ | 165 | (>&2·echo·"Remediating·rule·17/36:·'rsyslog_files_permissions'") |
| 166 | #·FIX·FOR·THIS·RULE·IS·MISSING | 166 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 167 | #·END·fix·for·'rsyslog_files_ | 167 | #·END·fix·for·'rsyslog_files_permissions' |
| 168 | ############################################################################### | 168 | ############################################################################### |
| 169 | #·BEGIN·fix·(18·/·36)·for·'rsyslog_files_ownership' | 169 | #·BEGIN·fix·(18·/·36)·for·'rsyslog_files_ownership' |
| 170 | ############################################################################### | 170 | ############################################################################### |
| 171 | (>&2·echo·"Remediating·rule·18/36:·'rsyslog_files_ownership'") | 171 | (>&2·echo·"Remediating·rule·18/36:·'rsyslog_files_ownership'") |
| 172 | #·FIX·FOR·THIS·RULE·IS·MISSING | 172 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 173 | #·END·fix·for·'rsyslog_files_ownership' | 173 | #·END·fix·for·'rsyslog_files_ownership' |
| 174 | ############################################################################### | 174 | ############################################################################### |
| 175 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_p | 175 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_groupownership' |
| 176 | ############################################################################### | 176 | ############################################################################### |
| 177 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_p | 177 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_groupownership'") |
| 178 | #·FIX·FOR·THIS·RULE·IS·MISSING | 178 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 179 | #·END·fix·for·'rsyslog_files_p | 179 | #·END·fix·for·'rsyslog_files_groupownership' |
| 180 | ############################################################################### | 180 | ############################################################################### |
| 181 | #·BEGIN·fix·(20·/·36)·for·'ensure_logrotate_activated' | 181 | #·BEGIN·fix·(20·/·36)·for·'ensure_logrotate_activated' |
| 182 | ############################################################################### | 182 | ############################################################################### |
| 183 | (>&2·echo·"Remediating·rule·20/36:·'ensure_logrotate_activated'") | 183 | (>&2·echo·"Remediating·rule·20/36:·'ensure_logrotate_activated'") |
| 184 | #·FIX·FOR·THIS·RULE·IS·MISSING | 184 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 185 | #·END·fix·for·'ensure_logrotate_activated' | 185 | #·END·fix·for·'ensure_logrotate_activated' |
| Offset 211, 26 lines modified | Offset 211, 26 lines modified | ||
| 211 | #·BEGIN·fix·(23·/·36)·for·'partition_for_home' | 211 | #·BEGIN·fix·(23·/·36)·for·'partition_for_home' |
| 212 | ############################################################################### | 212 | ############################################################################### |
| 213 | (>&2·echo·"Remediating·rule·23/36:·'partition_for_home'") | 213 | (>&2·echo·"Remediating·rule·23/36:·'partition_for_home'") |
| 214 | #·FIX·FOR·THIS·RULE·IS·MISSING | 214 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 215 | #·END·fix·for·'partition_for_home' | 215 | #·END·fix·for·'partition_for_home' |
| 216 | ############################################################################### | 216 | ############################################################################### |
| 217 | #·BEGIN·fix·(24·/·36)·for·'partition_for_ | 217 | #·BEGIN·fix·(24·/·36)·for·'partition_for_var' |
| 218 | ############################################################################### | 218 | ############################################################################### |
| 219 | (>&2·echo·"Remediating·rule·24/36:·'partition_for_ | 219 | (>&2·echo·"Remediating·rule·24/36:·'partition_for_var'") |
| 220 | #·FIX·FOR·THIS·RULE·IS·MISSING | 220 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 221 | #·END·fix·for·'partition_for_ | 221 | #·END·fix·for·'partition_for_var' |
| 222 | ############################################################################### | 222 | ############################################################################### |
| 223 | #·BEGIN·fix·(25·/·36)·for·'partition_for_ | 223 | #·BEGIN·fix·(25·/·36)·for·'partition_for_tmp' |
| 224 | ############################################################################### | 224 | ############################################################################### |
| 225 | (>&2·echo·"Remediating·rule·25/36:·'partition_for_ | 225 | (>&2·echo·"Remediating·rule·25/36:·'partition_for_tmp'") |
| 226 | #·FIX·FOR·THIS·RULE·IS·MISSING | 226 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 227 | #·END·fix·for·'partition_for_ | 227 | #·END·fix·for·'partition_for_tmp' |
| 228 | ############################################################################### | 228 | ############################################################################### |
| 229 | #·BEGIN·fix·(26·/·36)·for·'partition_for_var_log_audit' | 229 | #·BEGIN·fix·(26·/·36)·for·'partition_for_var_log_audit' |
| 230 | ############################################################################### | 230 | ############################################################################### |
| 231 | (>&2·echo·"Remediating·rule·26/36:·'partition_for_var_log_audit'") | 231 | (>&2·echo·"Remediating·rule·26/36:·'partition_for_var_log_audit'") |
| Max diff block lines reached; 45/7925 bytes (0.57%) of diff not shown. | |||
| Offset 90, 40 lines modified | Offset 90, 40 lines modified | ||
| 90 | #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed' | 90 | #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed' |
| 91 | ############################################################################### | 91 | ############################################################################### |
| 92 | (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'") | 92 | (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'") |
| 93 | #·FIX·FOR·THIS·RULE·IS·MISSING | 93 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 94 | #·END·fix·for·'package_ntp_installed' | 94 | #·END·fix·for·'package_ntp_installed' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | #·BEGIN·fix·(7·/·32)·for·'sshd_ | 96 | #·BEGIN·fix·(7·/·32)·for·'sshd_set_idle_timeout' |
| 97 | ############################################################################### | 97 | ############################################################################### |
| 98 | (>&2·echo·"Remediating·rule·7/32:·'sshd_ | 98 | (>&2·echo·"Remediating·rule·7/32:·'sshd_set_idle_timeout'") |
| 99 | #·FIX·FOR·THIS·RULE·IS·MISSING | 99 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 100 | #·END·fix·for·'sshd_ | 100 | #·END·fix·for·'sshd_set_idle_timeout' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | #·BEGIN·fix·(8·/·32)·for·'sshd_ | 102 | #·BEGIN·fix·(8·/·32)·for·'sshd_allow_only_protocol2' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule·8/32:·'sshd_ | 104 | (>&2·echo·"Remediating·rule·8/32:·'sshd_allow_only_protocol2'") |
| 105 | #·FIX·FOR·THIS·RULE·IS·MISSING | 105 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 106 | #·END·fix·for·'sshd_ | 106 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 107 | ############################################################################### | 107 | ############################################################################### |
| 108 | #·BEGIN·fix·(9·/·32)·for·'sshd_set_ | 108 | #·BEGIN·fix·(9·/·32)·for·'sshd_set_keepalive' |
| 109 | ############################################################################### | 109 | ############################################################################### |
| 110 | (>&2·echo·"Remediating·rule·9/32:·'sshd_set_ | 110 | (>&2·echo·"Remediating·rule·9/32:·'sshd_set_keepalive'") |
| 111 | #·FIX·FOR·THIS·RULE·IS·MISSING | 111 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 112 | #·END·fix·for·'sshd_set_ | 112 | #·END·fix·for·'sshd_set_keepalive' |
| 113 | ############################################################################### | 113 | ############################################################################### |
| 114 | #·BEGIN·fix·(10·/·32)·for·'sshd_set_ | 114 | #·BEGIN·fix·(10·/·32)·for·'sshd_disable_empty_passwords' |
| 115 | ############################################################################### | 115 | ############################################################################### |
| 116 | (>&2·echo·"Remediating·rule·10/32:·'sshd_set_ | 116 | (>&2·echo·"Remediating·rule·10/32:·'sshd_disable_empty_passwords'") |
| 117 | #·FIX·FOR·THIS·RULE·IS·MISSING | 117 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 118 | #·END·fix·for·'sshd_set_ | 118 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login' | 120 | #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login' |
| 121 | ############################################################################### | 121 | ############################################################################### |
| 122 | (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'") | 122 | (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'") |
| 123 | #·FIX·FOR·THIS·RULE·IS·MISSING | 123 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 124 | #·END·fix·for·'sshd_disable_root_login' | 124 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 132, 75 lines modified | Offset 132, 75 lines modified | ||
| 132 | #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated' | 132 | #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'") | 134 | (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'") |
| 135 | #·FIX·FOR·THIS·RULE·IS·MISSING | 135 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 136 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 136 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| 137 | ############################################################################### | 137 | ############################################################################### |
| 138 | #·BEGIN·fix·(13·/·32)·for·'s | 138 | #·BEGIN·fix·(13·/·32)·for·'rsyslog_files_permissions' |
| 139 | ############################################################################### | 139 | ############################################################################### |
| 140 | (>&2·echo·"Remediating·rule·13/32:·'s | 140 | (>&2·echo·"Remediating·rule·13/32:·'rsyslog_files_permissions'") |
| 141 | #·FIX·FOR·THIS·RULE·IS·MISSING | 141 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 142 | #·END·fix·for·'s | 142 | #·END·fix·for·'rsyslog_files_permissions' |
| 143 | ############################################################################### | 143 | ############################################################################### |
| 144 | #·BEGIN·fix·(14·/·32)·for·'s | 144 | #·BEGIN·fix·(14·/·32)·for·'rsyslog_files_ownership' |
| 145 | ############################################################################### | 145 | ############################################################################### |
| 146 | (>&2·echo·"Remediating·rule·14/32:·'s | 146 | (>&2·echo·"Remediating·rule·14/32:·'rsyslog_files_ownership'") |
| 147 | #·FIX·FOR·THIS·RULE·IS·MISSING | 147 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 148 | #·END·fix·for·'s | 148 | #·END·fix·for·'rsyslog_files_ownership' |
| 149 | ############################################################################### | 149 | ############################################################################### |
| 150 | #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_groupownership' | 150 | #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_groupownership' |
| 151 | ############################################################################### | 151 | ############################################################################### |
| 152 | (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_groupownership'") | 152 | (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_groupownership'") |
| 153 | #·FIX·FOR·THIS·RULE·IS·MISSING | 153 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 154 | #·END·fix·for·'rsyslog_files_groupownership' | 154 | #·END·fix·for·'rsyslog_files_groupownership' |
| 155 | ############################################################################### | 155 | ############################################################################### |
| 156 | #·BEGIN·fix·(16·/·32)·for·' | 156 | #·BEGIN·fix·(16·/·32)·for·'ensure_logrotate_activated' |
| 157 | ############################################################################### | 157 | ############################################################################### |
| 158 | (>&2·echo·"Remediating·rule·16/32:·' | 158 | (>&2·echo·"Remediating·rule·16/32:·'ensure_logrotate_activated'") |
| 159 | #·FIX·FOR·THIS·RULE·IS·MISSING | 159 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 160 | #·END·fix·for·' | 160 | #·END·fix·for·'ensure_logrotate_activated' |
| 161 | ############################################################################### | 161 | ############################################################################### |
| 162 | #·BEGIN·fix·(17·/·32)·for·' | 162 | #·BEGIN·fix·(17·/·32)·for·'sudo_remove_no_authenticate' |
| 163 | ############################################################################### | 163 | ############################################################################### |
| 164 | (>&2·echo·"Remediating·rule·17/32:·' | 164 | (>&2·echo·"Remediating·rule·17/32:·'sudo_remove_no_authenticate'") |
| 165 | #·FIX·FOR·THIS·RULE·IS·MISSING | 165 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 166 | #·END·fix·for·' | 166 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 167 | ############################################################################### | 167 | ############################################################################### |
| 168 | #·BEGIN·fix·(18·/·32)·for·' | 168 | #·BEGIN·fix·(18·/·32)·for·'sudo_remove_nopasswd' |
| 169 | ############################################################################### | 169 | ############################################################################### |
| 170 | (>&2·echo·"Remediating·rule·18/32:·' | 170 | (>&2·echo·"Remediating·rule·18/32:·'sudo_remove_nopasswd'") |
| 171 | #·FIX·FOR·THIS·RULE·IS·MISSING | 171 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 172 | #·END·fix·for·' | 172 | #·END·fix·for·'sudo_remove_nopasswd' |
| 173 | ############################################################################### | 173 | ############################################################################### |
| 174 | #·BEGIN·fix·(19·/·32)·for·'partition_for_home' | 174 | #·BEGIN·fix·(19·/·32)·for·'partition_for_home' |
| 175 | ############################################################################### | 175 | ############################################################################### |
| 176 | (>&2·echo·"Remediating·rule·19/32:·'partition_for_home'") | 176 | (>&2·echo·"Remediating·rule·19/32:·'partition_for_home'") |
| 177 | #·FIX·FOR·THIS·RULE·IS·MISSING | 177 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 178 | #·END·fix·for·'partition_for_home' | 178 | #·END·fix·for·'partition_for_home' |
| 179 | ############################################################################### | 179 | ############################################################################### |
| 180 | #·BEGIN·fix·(20·/·32)·for·'partition_for_ | 180 | #·BEGIN·fix·(20·/·32)·for·'partition_for_var' |
| 181 | ############################################################################### | 181 | ############################################################################### |
| 182 | (>&2·echo·"Remediating·rule·20/32:·'partition_for_ | 182 | (>&2·echo·"Remediating·rule·20/32:·'partition_for_var'") |
| 183 | #·FIX·FOR·THIS·RULE·IS·MISSING | 183 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 184 | #·END·fix·for·'partition_for_ | 184 | #·END·fix·for·'partition_for_var' |
| 185 | ############################################################################### | 185 | ############################################################################### |
| 186 | #·BEGIN·fix·(21·/·32)·for·'partition_for_ | 186 | #·BEGIN·fix·(21·/·32)·for·'partition_for_tmp' |
| 187 | ############################################################################### | 187 | ############################################################################### |
| 188 | (>&2·echo·"Remediating·rule·21/32:·'partition_for_ | 188 | (>&2·echo·"Remediating·rule·21/32:·'partition_for_tmp'") |
| 189 | #·FIX·FOR·THIS·RULE·IS·MISSING | 189 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 190 | #·END·fix·for·'partition_for_ | 190 | #·END·fix·for·'partition_for_tmp' |
| 191 | ############################################################################### | 191 | ############################################################################### |
| 192 | #·BEGIN·fix·(22·/·32)·for·'partition_for_var_log_audit' | 192 | #·BEGIN·fix·(22·/·32)·for·'partition_for_var_log_audit' |
| 193 | ############################################################################### | 193 | ############################################################################### |
| 194 | (>&2·echo·"Remediating·rule·22/32:·'partition_for_var_log_audit'") | 194 | (>&2·echo·"Remediating·rule·22/32:·'partition_for_var_log_audit'") |
| 195 | #·FIX·FOR·THIS·RULE·IS·MISSING | 195 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 196 | #·END·fix·for·'partition_for_var_log_audit' | 196 | #·END·fix·for·'partition_for_var_log_audit' |
| Offset 83, 26 lines modified | Offset 83, 26 lines modified | ||
| 83 | #» ···remediation·AFTER·testing·on·a·non-production | 83 | #» ···remediation·AFTER·testing·on·a·non-production |
| 84 | #» ···system! | 84 | #» ···system! |
| 85 | apt-get·remove·--purge·telnetd | 85 | apt-get·remove·--purge·telnetd |
| 86 | #·END·fix·for·'package_telnetd_removed' | 86 | #·END·fix·for·'package_telnetd_removed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | #·BEGIN·fix·(6·/·37)·for·'package_ | 88 | #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | (>&2·echo·"Remediating·rule·6/37:·'package_ | 90 | (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'") |
| 91 | #·FIX·FOR·THIS·RULE·IS·MISSING | 91 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 92 | #·END·fix·for·'package_ | 92 | #·END·fix·for·'package_ntp_installed' |
| 93 | ############################################################################### | 93 | ############################################################################### |
| 94 | #·BEGIN·fix·(7·/·37)·for·'package_ | 94 | #·BEGIN·fix·(7·/·37)·for·'package_cron_installed' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | (>&2·echo·"Remediating·rule·7/37:·'package_ | 96 | (>&2·echo·"Remediating·rule·7/37:·'package_cron_installed'") |
| 97 | #·FIX·FOR·THIS·RULE·IS·MISSING | 97 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 98 | #·END·fix·for·'package_ | 98 | #·END·fix·for·'package_cron_installed' |
| 99 | ############################################################################### | 99 | ############################################################################### |
| 100 | #·BEGIN·fix·(8·/·37)·for·'package_auditd_installed' | 100 | #·BEGIN·fix·(8·/·37)·for·'package_auditd_installed' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | (>&2·echo·"Remediating·rule·8/37:·'package_auditd_installed'") | 102 | (>&2·echo·"Remediating·rule·8/37:·'package_auditd_installed'") |
| 103 | #·FIX·FOR·THIS·RULE·IS·MISSING | 103 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 104 | #·END·fix·for·'package_auditd_installed' | 104 | #·END·fix·for·'package_auditd_installed' |
| Offset 118, 40 lines modified | Offset 118, 40 lines modified | ||
| 118 | #·BEGIN·fix·(10·/·37)·for·'service_auditd_enabled' | 118 | #·BEGIN·fix·(10·/·37)·for·'service_auditd_enabled' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | (>&2·echo·"Remediating·rule·10/37:·'service_auditd_enabled'") | 120 | (>&2·echo·"Remediating·rule·10/37:·'service_auditd_enabled'") |
| 121 | #·FIX·FOR·THIS·RULE·IS·MISSING | 121 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 122 | #·END·fix·for·'service_auditd_enabled' | 122 | #·END·fix·for·'service_auditd_enabled' |
| 123 | ############################################################################### | 123 | ############################################################################### |
| 124 | #·BEGIN·fix·(11·/·37)·for·'sshd_ | 124 | #·BEGIN·fix·(11·/·37)·for·'sshd_set_idle_timeout' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | (>&2·echo·"Remediating·rule·11/37:·'sshd_ | 126 | (>&2·echo·"Remediating·rule·11/37:·'sshd_set_idle_timeout'") |
| 127 | #·FIX·FOR·THIS·RULE·IS·MISSING | 127 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 128 | #·END·fix·for·'sshd_ | 128 | #·END·fix·for·'sshd_set_idle_timeout' |
| 129 | ############################################################################### | 129 | ############################################################################### |
| 130 | #·BEGIN·fix·(12·/·37)·for·'sshd_ | 130 | #·BEGIN·fix·(12·/·37)·for·'sshd_allow_only_protocol2' |
| 131 | ############################################################################### | 131 | ############################################################################### |
| 132 | (>&2·echo·"Remediating·rule·12/37:·'sshd_ | 132 | (>&2·echo·"Remediating·rule·12/37:·'sshd_allow_only_protocol2'") |
| 133 | #·FIX·FOR·THIS·RULE·IS·MISSING | 133 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 134 | #·END·fix·for·'sshd_ | 134 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | #·BEGIN·fix·(13·/·37)·for·'sshd_set_ | 136 | #·BEGIN·fix·(13·/·37)·for·'sshd_set_keepalive' |
| 137 | ############################################################################### | 137 | ############################################################################### |
| 138 | (>&2·echo·"Remediating·rule·13/37:·'sshd_set_ | 138 | (>&2·echo·"Remediating·rule·13/37:·'sshd_set_keepalive'") |
| 139 | #·FIX·FOR·THIS·RULE·IS·MISSING | 139 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 140 | #·END·fix·for·'sshd_set_ | 140 | #·END·fix·for·'sshd_set_keepalive' |
| 141 | ############################################################################### | 141 | ############################################################################### |
| 142 | #·BEGIN·fix·(14·/·37)·for·'sshd_set_ | 142 | #·BEGIN·fix·(14·/·37)·for·'sshd_disable_empty_passwords' |
| 143 | ############################################################################### | 143 | ############################################################################### |
| 144 | (>&2·echo·"Remediating·rule·14/37:·'sshd_set_ | 144 | (>&2·echo·"Remediating·rule·14/37:·'sshd_disable_empty_passwords'") |
| 145 | #·FIX·FOR·THIS·RULE·IS·MISSING | 145 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 146 | #·END·fix·for·'sshd_set_ | 146 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 147 | ############################################################################### | 147 | ############################################################################### |
| 148 | #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login' | 148 | #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login' |
| 149 | ############################################################################### | 149 | ############################################################################### |
| 150 | (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'") | 150 | (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'") |
| 151 | #·FIX·FOR·THIS·RULE·IS·MISSING | 151 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 152 | #·END·fix·for·'sshd_disable_root_login' | 152 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 167, 75 lines modified | Offset 167, 75 lines modified | ||
| 167 | #·BEGIN·fix·(17·/·37)·for·'grub2_enable_iommu_force' | 167 | #·BEGIN·fix·(17·/·37)·for·'grub2_enable_iommu_force' |
| 168 | ############################################################################### | 168 | ############################################################################### |
| 169 | (>&2·echo·"Remediating·rule·17/37:·'grub2_enable_iommu_force'") | 169 | (>&2·echo·"Remediating·rule·17/37:·'grub2_enable_iommu_force'") |
| 170 | #·FIX·FOR·THIS·RULE·IS·MISSING | 170 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 171 | #·END·fix·for·'grub2_enable_iommu_force' | 171 | #·END·fix·for·'grub2_enable_iommu_force' |
| 172 | ############################################################################### | 172 | ############################################################################### |
| 173 | #·BEGIN·fix·(18·/·37)·for·'s | 173 | #·BEGIN·fix·(18·/·37)·for·'rsyslog_files_permissions' |
| 174 | ############################################################################### | 174 | ############################################################################### |
| 175 | (>&2·echo·"Remediating·rule·18/37:·'s | 175 | (>&2·echo·"Remediating·rule·18/37:·'rsyslog_files_permissions'") |
| 176 | #·FIX·FOR·THIS·RULE·IS·MISSING | 176 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 177 | #·END·fix·for·'s | 177 | #·END·fix·for·'rsyslog_files_permissions' |
| 178 | ############################################################################### | 178 | ############################################################################### |
| 179 | #·BEGIN·fix·(19·/·37)·for·'s | 179 | #·BEGIN·fix·(19·/·37)·for·'rsyslog_files_ownership' |
| 180 | ############################################################################### | 180 | ############################################################################### |
| 181 | (>&2·echo·"Remediating·rule·19/37:·'s | 181 | (>&2·echo·"Remediating·rule·19/37:·'rsyslog_files_ownership'") |
| 182 | #·FIX·FOR·THIS·RULE·IS·MISSING | 182 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 183 | #·END·fix·for·'s | 183 | #·END·fix·for·'rsyslog_files_ownership' |
| 184 | ############################################################################### | 184 | ############################################################################### |
| 185 | #·BEGIN·fix·(20·/·37)·for·'rsyslog_files_groupownership' | 185 | #·BEGIN·fix·(20·/·37)·for·'rsyslog_files_groupownership' |
| 186 | ############################################################################### | 186 | ############################################################################### |
| 187 | (>&2·echo·"Remediating·rule·20/37:·'rsyslog_files_groupownership'") | 187 | (>&2·echo·"Remediating·rule·20/37:·'rsyslog_files_groupownership'") |
| 188 | #·FIX·FOR·THIS·RULE·IS·MISSING | 188 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 189 | #·END·fix·for·'rsyslog_files_groupownership' | 189 | #·END·fix·for·'rsyslog_files_groupownership' |
| 190 | ############################################################################### | 190 | ############################################################################### |
| 191 | #·BEGIN·fix·(21·/·37)·for·' | 191 | #·BEGIN·fix·(21·/·37)·for·'ensure_logrotate_activated' |
| 192 | ############################################################################### | 192 | ############################################################################### |
| 193 | (>&2·echo·"Remediating·rule·21/37:·' | 193 | (>&2·echo·"Remediating·rule·21/37:·'ensure_logrotate_activated'") |
| 194 | #·FIX·FOR·THIS·RULE·IS·MISSING | 194 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 195 | #·END·fix·for·' | 195 | #·END·fix·for·'ensure_logrotate_activated' |
| 196 | ############################################################################### | 196 | ############################################################################### |
| 197 | #·BEGIN·fix·(22·/·37)·for·' | 197 | #·BEGIN·fix·(22·/·37)·for·'sudo_remove_no_authenticate' |
| 198 | ############################################################################### | 198 | ############################################################################### |
| 199 | (>&2·echo·"Remediating·rule·22/37:·' | 199 | (>&2·echo·"Remediating·rule·22/37:·'sudo_remove_no_authenticate'") |
| 200 | #·FIX·FOR·THIS·RULE·IS·MISSING | 200 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 201 | #·END·fix·for·' | 201 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 202 | ############################################################################### | 202 | ############################################################################### |
| 203 | #·BEGIN·fix·(23·/·37)·for·' | 203 | #·BEGIN·fix·(23·/·37)·for·'sudo_remove_nopasswd' |
| 204 | ############################################################################### | 204 | ############################################################################### |
| 205 | (>&2·echo·"Remediating·rule·23/37:·' | 205 | (>&2·echo·"Remediating·rule·23/37:·'sudo_remove_nopasswd'") |
| 206 | #·FIX·FOR·THIS·RULE·IS·MISSING | 206 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 207 | #·END·fix·for·' | 207 | #·END·fix·for·'sudo_remove_nopasswd' |
| 208 | ############################################################################### | 208 | ############################################################################### |
| 209 | #·BEGIN·fix·(24·/·37)·for·'partition_for_home' | 209 | #·BEGIN·fix·(24·/·37)·for·'partition_for_home' |
| 210 | ############################################################################### | 210 | ############################################################################### |
| 211 | (>&2·echo·"Remediating·rule·24/37:·'partition_for_home'") | 211 | (>&2·echo·"Remediating·rule·24/37:·'partition_for_home'") |
| 212 | #·FIX·FOR·THIS·RULE·IS·MISSING | 212 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 213 | #·END·fix·for·'partition_for_home' | 213 | #·END·fix·for·'partition_for_home' |
| 214 | ############################################################################### | 214 | ############################################################################### |
| 215 | #·BEGIN·fix·(25·/·37)·for·'partition_for_ | 215 | #·BEGIN·fix·(25·/·37)·for·'partition_for_var' |
| 216 | ############################################################################### | 216 | ############################################################################### |
| 217 | (>&2·echo·"Remediating·rule·25/37:·'partition_for_ | 217 | (>&2·echo·"Remediating·rule·25/37:·'partition_for_var'") |
| Max diff block lines reached; 912/9124 bytes (10.00%) of diff not shown. | |||
| Offset 83, 26 lines modified | Offset 83, 26 lines modified | ||
| 83 | #» ···remediation·AFTER·testing·on·a·non-production | 83 | #» ···remediation·AFTER·testing·on·a·non-production |
| 84 | #» ···system! | 84 | #» ···system! |
| 85 | apt-get·remove·--purge·telnetd | 85 | apt-get·remove·--purge·telnetd |
| 86 | #·END·fix·for·'package_telnetd_removed' | 86 | #·END·fix·for·'package_telnetd_removed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | #·BEGIN·fix·(6·/·36)·for·'package_ | 88 | #·BEGIN·fix·(6·/·36)·for·'package_ntp_installed' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | (>&2·echo·"Remediating·rule·6/36:·'package_ | 90 | (>&2·echo·"Remediating·rule·6/36:·'package_ntp_installed'") |
| 91 | #·FIX·FOR·THIS·RULE·IS·MISSING | 91 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 92 | #·END·fix·for·'package_ | 92 | #·END·fix·for·'package_ntp_installed' |
| 93 | ############################################################################### | 93 | ############################################################################### |
| 94 | #·BEGIN·fix·(7·/·36)·for·'package_ | 94 | #·BEGIN·fix·(7·/·36)·for·'package_cron_installed' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | (>&2·echo·"Remediating·rule·7/36:·'package_ | 96 | (>&2·echo·"Remediating·rule·7/36:·'package_cron_installed'") |
| 97 | #·FIX·FOR·THIS·RULE·IS·MISSING | 97 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 98 | #·END·fix·for·'package_ | 98 | #·END·fix·for·'package_cron_installed' |
| 99 | ############################################################################### | 99 | ############################################################################### |
| 100 | #·BEGIN·fix·(8·/·36)·for·'package_auditd_installed' | 100 | #·BEGIN·fix·(8·/·36)·for·'package_auditd_installed' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | (>&2·echo·"Remediating·rule·8/36:·'package_auditd_installed'") | 102 | (>&2·echo·"Remediating·rule·8/36:·'package_auditd_installed'") |
| 103 | #·FIX·FOR·THIS·RULE·IS·MISSING | 103 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 104 | #·END·fix·for·'package_auditd_installed' | 104 | #·END·fix·for·'package_auditd_installed' |
| Offset 118, 40 lines modified | Offset 118, 40 lines modified | ||
| 118 | #·BEGIN·fix·(10·/·36)·for·'service_auditd_enabled' | 118 | #·BEGIN·fix·(10·/·36)·for·'service_auditd_enabled' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | (>&2·echo·"Remediating·rule·10/36:·'service_auditd_enabled'") | 120 | (>&2·echo·"Remediating·rule·10/36:·'service_auditd_enabled'") |
| 121 | #·FIX·FOR·THIS·RULE·IS·MISSING | 121 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 122 | #·END·fix·for·'service_auditd_enabled' | 122 | #·END·fix·for·'service_auditd_enabled' |
| 123 | ############################################################################### | 123 | ############################################################################### |
| 124 | #·BEGIN·fix·(11·/·36)·for·'sshd_ | 124 | #·BEGIN·fix·(11·/·36)·for·'sshd_set_idle_timeout' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | (>&2·echo·"Remediating·rule·11/36:·'sshd_ | 126 | (>&2·echo·"Remediating·rule·11/36:·'sshd_set_idle_timeout'") |
| 127 | #·FIX·FOR·THIS·RULE·IS·MISSING | 127 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 128 | #·END·fix·for·'sshd_ | 128 | #·END·fix·for·'sshd_set_idle_timeout' |
| 129 | ############################################################################### | 129 | ############################################################################### |
| 130 | #·BEGIN·fix·(12·/·36)·for·'sshd_ | 130 | #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2' |
| 131 | ############################################################################### | 131 | ############################################################################### |
| 132 | (>&2·echo·"Remediating·rule·12/36:·'sshd_ | 132 | (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'") |
| 133 | #·FIX·FOR·THIS·RULE·IS·MISSING | 133 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 134 | #·END·fix·for·'sshd_ | 134 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | #·BEGIN·fix·(13·/·36)·for·'sshd_set_ | 136 | #·BEGIN·fix·(13·/·36)·for·'sshd_set_keepalive' |
| 137 | ############################################################################### | 137 | ############################################################################### |
| 138 | (>&2·echo·"Remediating·rule·13/36:·'sshd_set_ | 138 | (>&2·echo·"Remediating·rule·13/36:·'sshd_set_keepalive'") |
| 139 | #·FIX·FOR·THIS·RULE·IS·MISSING | 139 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 140 | #·END·fix·for·'sshd_set_ | 140 | #·END·fix·for·'sshd_set_keepalive' |
| 141 | ############################################################################### | 141 | ############################################################################### |
| 142 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_ | 142 | #·BEGIN·fix·(14·/·36)·for·'sshd_disable_empty_passwords' |
| 143 | ############################################################################### | 143 | ############################################################################### |
| 144 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_ | 144 | (>&2·echo·"Remediating·rule·14/36:·'sshd_disable_empty_passwords'") |
| 145 | #·FIX·FOR·THIS·RULE·IS·MISSING | 145 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 146 | #·END·fix·for·'sshd_set_ | 146 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 147 | ############################################################################### | 147 | ############################################################################### |
| 148 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login' | 148 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login' |
| 149 | ############################################################################### | 149 | ############################################################################### |
| 150 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'") | 150 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'") |
| 151 | #·FIX·FOR·THIS·RULE·IS·MISSING | 151 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 152 | #·END·fix·for·'sshd_disable_root_login' | 152 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 160, 75 lines modified | Offset 160, 75 lines modified | ||
| 160 | #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated' | 160 | #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated' |
| 161 | ############################################################################### | 161 | ############################################################################### |
| 162 | (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'") | 162 | (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'") |
| 163 | #·FIX·FOR·THIS·RULE·IS·MISSING | 163 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| 165 | ############################################################################### | 165 | ############################################################################### |
| 166 | #·BEGIN·fix·(17·/·36)·for·'s | 166 | #·BEGIN·fix·(17·/·36)·for·'rsyslog_files_permissions' |
| 167 | ############################################################################### | 167 | ############################################################################### |
| 168 | (>&2·echo·"Remediating·rule·17/36:·'s | 168 | (>&2·echo·"Remediating·rule·17/36:·'rsyslog_files_permissions'") |
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | 169 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 170 | #·END·fix·for·'s | 170 | #·END·fix·for·'rsyslog_files_permissions' |
| 171 | ############################################################################### | 171 | ############################################################################### |
| 172 | #·BEGIN·fix·(18·/·36)·for·'s | 172 | #·BEGIN·fix·(18·/·36)·for·'rsyslog_files_ownership' |
| 173 | ############################################################################### | 173 | ############################################################################### |
| 174 | (>&2·echo·"Remediating·rule·18/36:·'s | 174 | (>&2·echo·"Remediating·rule·18/36:·'rsyslog_files_ownership'") |
| 175 | #·FIX·FOR·THIS·RULE·IS·MISSING | 175 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 176 | #·END·fix·for·'s | 176 | #·END·fix·for·'rsyslog_files_ownership' |
| 177 | ############################################################################### | 177 | ############################################################################### |
| 178 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_groupownership' | 178 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_groupownership' |
| 179 | ############################################################################### | 179 | ############################################################################### |
| 180 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_groupownership'") | 180 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_groupownership'") |
| 181 | #·FIX·FOR·THIS·RULE·IS·MISSING | 181 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 182 | #·END·fix·for·'rsyslog_files_groupownership' | 182 | #·END·fix·for·'rsyslog_files_groupownership' |
| 183 | ############################################################################### | 183 | ############################################################################### |
| 184 | #·BEGIN·fix·(20·/·36)·for·' | 184 | #·BEGIN·fix·(20·/·36)·for·'ensure_logrotate_activated' |
| 185 | ############################################################################### | 185 | ############################################################################### |
| 186 | (>&2·echo·"Remediating·rule·20/36:·' | 186 | (>&2·echo·"Remediating·rule·20/36:·'ensure_logrotate_activated'") |
| 187 | #·FIX·FOR·THIS·RULE·IS·MISSING | 187 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 188 | #·END·fix·for·' | 188 | #·END·fix·for·'ensure_logrotate_activated' |
| 189 | ############################################################################### | 189 | ############################################################################### |
| 190 | #·BEGIN·fix·(21·/·36)·for·' | 190 | #·BEGIN·fix·(21·/·36)·for·'sudo_remove_no_authenticate' |
| 191 | ############################################################################### | 191 | ############################################################################### |
| 192 | (>&2·echo·"Remediating·rule·21/36:·' | 192 | (>&2·echo·"Remediating·rule·21/36:·'sudo_remove_no_authenticate'") |
| 193 | #·FIX·FOR·THIS·RULE·IS·MISSING | 193 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 194 | #·END·fix·for·' | 194 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 195 | ############################################################################### | 195 | ############################################################################### |
| 196 | #·BEGIN·fix·(22·/·36)·for·' | 196 | #·BEGIN·fix·(22·/·36)·for·'sudo_remove_nopasswd' |
| 197 | ############################################################################### | 197 | ############################################################################### |
| 198 | (>&2·echo·"Remediating·rule·22/36:·' | 198 | (>&2·echo·"Remediating·rule·22/36:·'sudo_remove_nopasswd'") |
| 199 | #·FIX·FOR·THIS·RULE·IS·MISSING | 199 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 200 | #·END·fix·for·' | 200 | #·END·fix·for·'sudo_remove_nopasswd' |
| 201 | ############################################################################### | 201 | ############################################################################### |
| 202 | #·BEGIN·fix·(23·/·36)·for·'partition_for_home' | 202 | #·BEGIN·fix·(23·/·36)·for·'partition_for_home' |
| 203 | ############################################################################### | 203 | ############################################################################### |
| 204 | (>&2·echo·"Remediating·rule·23/36:·'partition_for_home'") | 204 | (>&2·echo·"Remediating·rule·23/36:·'partition_for_home'") |
| 205 | #·FIX·FOR·THIS·RULE·IS·MISSING | 205 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 206 | #·END·fix·for·'partition_for_home' | 206 | #·END·fix·for·'partition_for_home' |
| 207 | ############################################################################### | 207 | ############################################################################### |
| 208 | #·BEGIN·fix·(24·/·36)·for·'partition_for_ | 208 | #·BEGIN·fix·(24·/·36)·for·'partition_for_var' |
| 209 | ############################################################################### | 209 | ############################################################################### |
| 210 | (>&2·echo·"Remediating·rule·24/36:·'partition_for_ | 210 | (>&2·echo·"Remediating·rule·24/36:·'partition_for_var'") |
| Max diff block lines reached; 912/9151 bytes (9.97%) of diff not shown. | |||
| Offset 85, 33 lines modified | Offset 85, 33 lines modified | ||
| 85 | #» ···remediation·AFTER·testing·on·a·non-production | 85 | #» ···remediation·AFTER·testing·on·a·non-production |
| 86 | #» ···system! | 86 | #» ···system! |
| 87 | apt-get·remove·--purge·telnetd | 87 | apt-get·remove·--purge·telnetd |
| 88 | #·END·fix·for·'package_telnetd_removed' | 88 | #·END·fix·for·'package_telnetd_removed' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | #·BEGIN·fix·(6·/·36)·for·' | 90 | #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled' |
| 91 | ############################################################################### | 91 | ############################################################################### |
| 92 | (>&2·echo·"Remediating·rule·6/36:·' | 92 | (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'") |
| 93 | #·FIX·FOR·THIS·RULE·IS·MISSING | 93 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 94 | #·END·fix·for·' | 94 | #·END·fix·for·'service_cron_enabled' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | #·BEGIN·fix·(7·/·36)·for·'package_ntp_installed' | 96 | #·BEGIN·fix·(7·/·36)·for·'package_ntp_installed' |
| 97 | ############################################################################### | 97 | ############################################################################### |
| 98 | (>&2·echo·"Remediating·rule·7/36:·'package_ntp_installed'") | 98 | (>&2·echo·"Remediating·rule·7/36:·'package_ntp_installed'") |
| 99 | #·FIX·FOR·THIS·RULE·IS·MISSING | 99 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 100 | #·END·fix·for·'package_ntp_installed' | 100 | #·END·fix·for·'package_ntp_installed' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | #·BEGIN·fix·(8·/·36)·for·' | 102 | #·BEGIN·fix·(8·/·36)·for·'package_cron_installed' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule·8/36:·' | 104 | (>&2·echo·"Remediating·rule·8/36:·'package_cron_installed'") |
| 105 | #·FIX·FOR·THIS·RULE·IS·MISSING | 105 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 106 | #·END·fix·for·' | 106 | #·END·fix·for·'package_cron_installed' |
| 107 | ############################################################################### | 107 | ############################################################################### |
| 108 | #·BEGIN·fix·(9·/·36)·for·'package_auditd_installed' | 108 | #·BEGIN·fix·(9·/·36)·for·'package_auditd_installed' |
| 109 | ############################################################################### | 109 | ############################################################################### |
| 110 | (>&2·echo·"Remediating·rule·9/36:·'package_auditd_installed'") | 110 | (>&2·echo·"Remediating·rule·9/36:·'package_auditd_installed'") |
| 111 | #·FIX·FOR·THIS·RULE·IS·MISSING | 111 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 112 | #·END·fix·for·'package_auditd_installed' | 112 | #·END·fix·for·'package_auditd_installed' |
| Offset 127, 68 lines modified | Offset 127, 68 lines modified | ||
| 127 | #·BEGIN·fix·(11·/·36)·for·'service_auditd_enabled' | 127 | #·BEGIN·fix·(11·/·36)·for·'service_auditd_enabled' |
| 128 | ############################################################################### | 128 | ############################################################################### |
| 129 | (>&2·echo·"Remediating·rule·11/36:·'service_auditd_enabled'") | 129 | (>&2·echo·"Remediating·rule·11/36:·'service_auditd_enabled'") |
| 130 | #·FIX·FOR·THIS·RULE·IS·MISSING | 130 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 131 | #·END·fix·for·'service_auditd_enabled' | 131 | #·END·fix·for·'service_auditd_enabled' |
| 132 | ############################################################################### | 132 | ############################################################################### |
| 133 | #·BEGIN·fix·(12·/·36)·for·'sshd_ | 133 | #·BEGIN·fix·(12·/·36)·for·'sshd_set_idle_timeout' |
| 134 | ############################################################################### | 134 | ############################################################################### |
| 135 | (>&2·echo·"Remediating·rule·12/36:·'sshd_ | 135 | (>&2·echo·"Remediating·rule·12/36:·'sshd_set_idle_timeout'") |
| 136 | #·FIX·FOR·THIS·RULE·IS·MISSING | 136 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 137 | #·END·fix·for·'sshd_ | 137 | #·END·fix·for·'sshd_set_idle_timeout' |
| 138 | ############################################################################### | 138 | ############################################################################### |
| 139 | #·BEGIN·fix·(13·/·36)·for·'sshd_ | 139 | #·BEGIN·fix·(13·/·36)·for·'sshd_allow_only_protocol2' |
| 140 | ############################################################################### | 140 | ############################################################################### |
| 141 | (>&2·echo·"Remediating·rule·13/36:·'sshd_ | 141 | (>&2·echo·"Remediating·rule·13/36:·'sshd_allow_only_protocol2'") |
| 142 | #·FIX·FOR·THIS·RULE·IS·MISSING | 142 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 143 | #·END·fix·for·'sshd_ | 143 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_ | 145 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_keepalive' |
| 146 | ############################################################################### | 146 | ############################################################################### |
| 147 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_ | 147 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_keepalive'") |
| 148 | #·FIX·FOR·THIS·RULE·IS·MISSING | 148 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 149 | #·END·fix·for·'sshd_set_ | 149 | #·END·fix·for·'sshd_set_keepalive' |
| 150 | ############################################################################### | 150 | ############################################################################### |
| 151 | #·BEGIN·fix·(15·/·36)·for·'sshd_set_ | 151 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_empty_passwords' |
| 152 | ############################################################################### | 152 | ############################################################################### |
| 153 | (>&2·echo·"Remediating·rule·15/36:·'sshd_set_ | 153 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_empty_passwords'") |
| 154 | #·FIX·FOR·THIS·RULE·IS·MISSING | 154 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 155 | #·END·fix·for·'sshd_set_ | 155 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 156 | ############################################################################### | 156 | ############################################################################### |
| 157 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' | 157 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' |
| 158 | ############################################################################### | 158 | ############################################################################### |
| 159 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") | 159 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") |
| 160 | #·FIX·FOR·THIS·RULE·IS·MISSING | 160 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 161 | #·END·fix·for·'sshd_disable_root_login' | 161 | #·END·fix·for·'sshd_disable_root_login' |
| 162 | ############################################################################### | 162 | ############################################################################### |
| 163 | #·BEGIN·fix·(17·/·36)·for·'rsyslog_files_ | 163 | #·BEGIN·fix·(17·/·36)·for·'rsyslog_files_permissions' |
| 164 | ############################################################################### | 164 | ############################################################################### |
| 165 | (>&2·echo·"Remediating·rule·17/36:·'rsyslog_files_ | 165 | (>&2·echo·"Remediating·rule·17/36:·'rsyslog_files_permissions'") |
| 166 | #·FIX·FOR·THIS·RULE·IS·MISSING | 166 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 167 | #·END·fix·for·'rsyslog_files_ | 167 | #·END·fix·for·'rsyslog_files_permissions' |
| 168 | ############################################################################### | 168 | ############################################################################### |
| 169 | #·BEGIN·fix·(18·/·36)·for·'rsyslog_files_ownership' | 169 | #·BEGIN·fix·(18·/·36)·for·'rsyslog_files_ownership' |
| 170 | ############################################################################### | 170 | ############################################################################### |
| 171 | (>&2·echo·"Remediating·rule·18/36:·'rsyslog_files_ownership'") | 171 | (>&2·echo·"Remediating·rule·18/36:·'rsyslog_files_ownership'") |
| 172 | #·FIX·FOR·THIS·RULE·IS·MISSING | 172 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 173 | #·END·fix·for·'rsyslog_files_ownership' | 173 | #·END·fix·for·'rsyslog_files_ownership' |
| 174 | ############################################################################### | 174 | ############################################################################### |
| 175 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_p | 175 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_groupownership' |
| 176 | ############################################################################### | 176 | ############################################################################### |
| 177 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_p | 177 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_groupownership'") |
| 178 | #·FIX·FOR·THIS·RULE·IS·MISSING | 178 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 179 | #·END·fix·for·'rsyslog_files_p | 179 | #·END·fix·for·'rsyslog_files_groupownership' |
| 180 | ############################################################################### | 180 | ############################################################################### |
| 181 | #·BEGIN·fix·(20·/·36)·for·'ensure_logrotate_activated' | 181 | #·BEGIN·fix·(20·/·36)·for·'ensure_logrotate_activated' |
| 182 | ############################################################################### | 182 | ############################################################################### |
| 183 | (>&2·echo·"Remediating·rule·20/36:·'ensure_logrotate_activated'") | 183 | (>&2·echo·"Remediating·rule·20/36:·'ensure_logrotate_activated'") |
| 184 | #·FIX·FOR·THIS·RULE·IS·MISSING | 184 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 185 | #·END·fix·for·'ensure_logrotate_activated' | 185 | #·END·fix·for·'ensure_logrotate_activated' |
| Offset 211, 26 lines modified | Offset 211, 26 lines modified | ||
| 211 | #·BEGIN·fix·(23·/·36)·for·'partition_for_home' | 211 | #·BEGIN·fix·(23·/·36)·for·'partition_for_home' |
| 212 | ############################################################################### | 212 | ############################################################################### |
| 213 | (>&2·echo·"Remediating·rule·23/36:·'partition_for_home'") | 213 | (>&2·echo·"Remediating·rule·23/36:·'partition_for_home'") |
| 214 | #·FIX·FOR·THIS·RULE·IS·MISSING | 214 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 215 | #·END·fix·for·'partition_for_home' | 215 | #·END·fix·for·'partition_for_home' |
| 216 | ############################################################################### | 216 | ############################################################################### |
| 217 | #·BEGIN·fix·(24·/·36)·for·'partition_for_ | 217 | #·BEGIN·fix·(24·/·36)·for·'partition_for_var' |
| 218 | ############################################################################### | 218 | ############################################################################### |
| 219 | (>&2·echo·"Remediating·rule·24/36:·'partition_for_ | 219 | (>&2·echo·"Remediating·rule·24/36:·'partition_for_var'") |
| 220 | #·FIX·FOR·THIS·RULE·IS·MISSING | 220 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 221 | #·END·fix·for·'partition_for_ | 221 | #·END·fix·for·'partition_for_var' |
| 222 | ############################################################################### | 222 | ############################################################################### |
| 223 | #·BEGIN·fix·(25·/·36)·for·'partition_for_ | 223 | #·BEGIN·fix·(25·/·36)·for·'partition_for_tmp' |
| 224 | ############################################################################### | 224 | ############################################################################### |
| 225 | (>&2·echo·"Remediating·rule·25/36:·'partition_for_ | 225 | (>&2·echo·"Remediating·rule·25/36:·'partition_for_tmp'") |
| 226 | #·FIX·FOR·THIS·RULE·IS·MISSING | 226 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 227 | #·END·fix·for·'partition_for_ | 227 | #·END·fix·for·'partition_for_tmp' |
| 228 | ############################################################################### | 228 | ############################################################################### |
| 229 | #·BEGIN·fix·(26·/·36)·for·'partition_for_var_log_audit' | 229 | #·BEGIN·fix·(26·/·36)·for·'partition_for_var_log_audit' |
| 230 | ############################################################################### | 230 | ############################################################################### |
| 231 | (>&2·echo·"Remediating·rule·26/36:·'partition_for_var_log_audit'") | 231 | (>&2·echo·"Remediating·rule·26/36:·'partition_for_var_log_audit'") |
| Max diff block lines reached; 45/7925 bytes (0.57%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:37:41</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>CentOS·6</ns0:title> | 12 | ········<ns0:title>CentOS·6</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> | 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"·timestamp="202 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"·timestamp="2020-04-28T11:48:06"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>202 | 31 | ········<ns2:timestamp>2020-04-27T21:37:41</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> | 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> | 36 | ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> |
| 37 | ············<ns0:affected·family="unix"> | 37 | ············<ns0:affected·family="unix"> |
| 38 | ··············<ns0:platform>Ubuntu·1404</ns0:platform> | 38 | ··············<ns0:platform>Ubuntu·1404</ns0:platform> |
| Offset 5544, 15 lines modified | Offset 5544, 15 lines modified | ||
| 5544 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> | 5544 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> |
| 5545 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> | 5545 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> |
| 5546 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> | 5546 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> |
| 5547 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> | 5547 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> |
| 5548 | ······</ns0:variables> | 5548 | ······</ns0:variables> |
| 5549 | ····</ns0:oval_definitions> | 5549 | ····</ns0:oval_definitions> |
| 5550 | ··</ds:component> | 5550 | ··</ds:component> |
| 5551 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"·timestamp="202 | 5551 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"·timestamp="2020-04-28T11:48:06"> |
| 5552 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 5552 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 5553 | ······<ns0:generator> | 5553 | ······<ns0:generator> |
| 5554 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 5554 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5555 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5555 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 5556 | ········<ns0:schema_version>2.0</ns0:schema_version> | 5556 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 5557 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 5557 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 5558 | ······</ns0:generator> | 5558 | ······</ns0:generator> |
| Offset 5565, 78 lines modified | Offset 5565, 66 lines modified | ||
| 5565 | ········</ns0:questionnaire> | 5565 | ········</ns0:questionnaire> |
| 5566 | ········<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> | 5566 | ········<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> |
| 5567 | ··········<ns0:title>Enable·the·auditd·service</ns0:title> | 5567 | ··········<ns0:title>Enable·the·auditd·service</ns0:title> |
| 5568 | ··········<ns0:actions> | 5568 | ··········<ns0:actions> |
| 5569 | ············<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> | 5569 | ············<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> |
| 5570 | ··········</ns0:actions> | 5570 | ··········</ns0:actions> |
| 5571 | ········</ns0:questionnaire> | 5571 | ········</ns0:questionnaire> |
| 5572 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | ||
| 5573 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | ||
| 5574 | ··········<ns0:actions> | ||
| 5575 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | ||
| 5576 | ··········</ns0:actions> | ||
| 5577 | ········</ns0:questionnaire> | ||
| 5578 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> | ||
| 5579 | ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> | ||
| 5580 | ··········<ns0:actions> | ||
| 5581 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> | ||
| 5582 | ··········</ns0:actions> | ||
| 5583 | ········</ns0:questionnaire> | ||
| 5584 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 5572 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 5585 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 5573 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 5586 | ··········<ns0:actions> | 5574 | ··········<ns0:actions> |
| 5587 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 5575 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 5588 | ··········</ns0:actions> | 5576 | ··········</ns0:actions> |
| 5589 | ········</ns0:questionnaire> | 5577 | ········</ns0:questionnaire> |
| 5590 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 5578 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> |
| 5591 | ··········<ns0:title> | 5579 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> |
| 5592 | ··········<ns0:actions> | 5580 | ··········<ns0:actions> |
| 5593 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 5581 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> |
| 5594 | ··········</ns0:actions> | 5582 | ··········</ns0:actions> |
| 5595 | ········</ns0:questionnaire> | 5583 | ········</ns0:questionnaire> |
| 5596 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 5584 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 5597 | ··········<ns0:title> | 5585 | ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 5598 | ··········<ns0:actions> | 5586 | ··········<ns0:actions> |
| 5599 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 5587 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 5600 | ··········</ns0:actions> | 5588 | ··········</ns0:actions> |
| 5601 | ········</ns0:questionnaire> | 5589 | ········</ns0:questionnaire> |
| 5602 | ········<ns0:questionnaire·id="ocil:ssg-s | 5590 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> |
| 5603 | ··········<ns0:title> | 5591 | ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> |
| 5604 | ··········<ns0:actions> | 5592 | ··········<ns0:actions> |
| 5605 | ············<ns0:test_action_ref>ocil:ssg-s | 5593 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> |
| 5606 | ··········</ns0:actions> | 5594 | ··········</ns0:actions> |
| 5607 | ········</ns0:questionnaire> | 5595 | ········</ns0:questionnaire> |
| 5608 | ········<ns0:questionnaire·id="ocil:ssg-s | 5596 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 5609 | ··········<ns0:title> | 5597 | ··········<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 5610 | ··········<ns0:actions> | 5598 | ··········<ns0:actions> |
| 5611 | ············<ns0:test_action_ref>ocil:ssg-s | 5599 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 5612 | ··········</ns0:actions> | 5600 | ··········</ns0:actions> |
| 5613 | ········</ns0:questionnaire> | 5601 | ········</ns0:questionnaire> |
| 5614 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> | 5602 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> |
| 5615 | ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> | 5603 | ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> |
| 5616 | ··········<ns0:actions> | 5604 | ··········<ns0:actions> |
| 5617 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> | 5605 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> |
| 5618 | ··········</ns0:actions> | 5606 | ··········</ns0:actions> |
| 5619 | ········</ns0:questionnaire> | 5607 | ········</ns0:questionnaire> |
| 5620 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ | 5608 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> |
| 5621 | ··········<ns0:title>Ensure·Log·Files· | 5609 | ··········<ns0:title>Ensure·System·Log·Files·Have·Correct·Permissions</ns0:title> |
| 5622 | ··········<ns0:actions> | 5610 | ··········<ns0:actions> |
| 5623 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_ | 5611 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_permissions_action:testaction:1</ns0:test_action_ref> |
| 5624 | ··········</ns0:actions> | 5612 | ··········</ns0:actions> |
| 5625 | ········</ns0:questionnaire> | 5613 | ········</ns0:questionnaire> |
| 5626 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> | 5614 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> |
| 5627 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> | 5615 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> |
| 5628 | ··········<ns0:actions> | 5616 | ··········<ns0:actions> |
| 5629 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> | 5617 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> |
| 5630 | ··········</ns0:actions> | 5618 | ··········</ns0:actions> |
| 5631 | ········</ns0:questionnaire> | 5619 | ········</ns0:questionnaire> |
| 5632 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_p | 5620 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 5633 | ··········<ns0:title>Ensure· | 5621 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 5634 | ··········<ns0:actions> | 5622 | ··········<ns0:actions> |
| 5635 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_p | 5623 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 5636 | ··········</ns0:actions> | 5624 | ··········</ns0:actions> |
| 5637 | ········</ns0:questionnaire> | 5625 | ········</ns0:questionnaire> |
| 5638 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | 5626 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> |
| 5639 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | 5627 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> |
| 5640 | ··········<ns0:actions> | 5628 | ··········<ns0:actions> |
| 5641 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | 5629 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> |
| 5642 | ··········</ns0:actions> | 5630 | ··········</ns0:actions> |
| Offset 5661, 38 lines modified | Offset 5649, 50 lines modified | ||
| 5661 | ········</ns0:questionnaire> | 5649 | ········</ns0:questionnaire> |
| 5662 | ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> | 5650 | ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> |
| 5663 | ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> | 5651 | ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> |
| 5664 | ··········<ns0:actions> | 5652 | ··········<ns0:actions> |
| 5665 | ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> | 5653 | ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> |
| 5666 | ··········</ns0:actions> | 5654 | ··········</ns0:actions> |
| 5667 | ········</ns0:questionnaire> | 5655 | ········</ns0:questionnaire> |
| 5656 | ········<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> | ||
| 5657 | ··········<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> | ||
| 5658 | ··········<ns0:actions> | ||
| Max diff block lines reached; 167903/179026 bytes (93.79%) of diff not shown. | |||
| Offset 15, 78 lines modified | Offset 15, 66 lines modified | ||
| 15 | ····</ns0:questionnaire> | 15 | ····</ns0:questionnaire> |
| 16 | ····<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> | 16 | ····<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> |
| 17 | ······<ns0:title>Enable·the·auditd·service</ns0:title> | 17 | ······<ns0:title>Enable·the·auditd·service</ns0:title> |
| 18 | ······<ns0:actions> | 18 | ······<ns0:actions> |
| 19 | ········<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> | 19 | ········<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> |
| 20 | ······</ns0:actions> | 20 | ······</ns0:actions> |
| 21 | ····</ns0:questionnaire> | 21 | ····</ns0:questionnaire> |
| 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | ||
| 23 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | ||
| 24 | ······<ns0:actions> | ||
| 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | ||
| 26 | ······</ns0:actions> | ||
| 27 | ····</ns0:questionnaire> | ||
| 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> | ||
| 29 | ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> | ||
| 30 | ······<ns0:actions> | ||
| 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> | ||
| 32 | ······</ns0:actions> | ||
| 33 | ····</ns0:questionnaire> | ||
| 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 35 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 23 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 36 | ······<ns0:actions> | 24 | ······<ns0:actions> |
| 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 38 | ······</ns0:actions> | 26 | ······</ns0:actions> |
| 39 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> |
| 41 | ······<ns0:title> | 29 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> |
| 42 | ······<ns0:actions> | 30 | ······<ns0:actions> |
| 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> |
| 44 | ······</ns0:actions> | 32 | ······</ns0:actions> |
| 45 | ····</ns0:questionnaire> | 33 | ····</ns0:questionnaire> |
| 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 47 | ······<ns0:title> | 35 | ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 48 | ······<ns0:actions> | 36 | ······<ns0:actions> |
| 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 50 | ······</ns0:actions> | 38 | ······</ns0:actions> |
| 51 | ····</ns0:questionnaire> | 39 | ····</ns0:questionnaire> |
| 52 | ····<ns0:questionnaire·id="ocil:ssg-s | 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> |
| 53 | ······<ns0:title> | 41 | ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> |
| 54 | ······<ns0:actions> | 42 | ······<ns0:actions> |
| 55 | ········<ns0:test_action_ref>ocil:ssg-s | 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> |
| 56 | ······</ns0:actions> | 44 | ······</ns0:actions> |
| 57 | ····</ns0:questionnaire> | 45 | ····</ns0:questionnaire> |
| 58 | ····<ns0:questionnaire·id="ocil:ssg-s | 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 59 | ······<ns0:title> | 47 | ······<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 60 | ······<ns0:actions> | 48 | ······<ns0:actions> |
| 61 | ········<ns0:test_action_ref>ocil:ssg-s | 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 62 | ······</ns0:actions> | 50 | ······</ns0:actions> |
| 63 | ····</ns0:questionnaire> | 51 | ····</ns0:questionnaire> |
| 64 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> | 52 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> |
| 65 | ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> | 53 | ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> |
| 66 | ······<ns0:actions> | 54 | ······<ns0:actions> |
| 67 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> | 55 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> |
| 68 | ······</ns0:actions> | 56 | ······</ns0:actions> |
| 69 | ····</ns0:questionnaire> | 57 | ····</ns0:questionnaire> |
| 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ | 58 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> |
| 71 | ······<ns0:title>Ensure·Log·Files· | 59 | ······<ns0:title>Ensure·System·Log·Files·Have·Correct·Permissions</ns0:title> |
| 72 | ······<ns0:actions> | 60 | ······<ns0:actions> |
| 73 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_ | 61 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_permissions_action:testaction:1</ns0:test_action_ref> |
| 74 | ······</ns0:actions> | 62 | ······</ns0:actions> |
| 75 | ····</ns0:questionnaire> | 63 | ····</ns0:questionnaire> |
| 76 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> | 64 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> |
| 77 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> | 65 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> |
| 78 | ······<ns0:actions> | 66 | ······<ns0:actions> |
| 79 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> | 67 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> |
| 80 | ······</ns0:actions> | 68 | ······</ns0:actions> |
| 81 | ····</ns0:questionnaire> | 69 | ····</ns0:questionnaire> |
| 82 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_p | 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 83 | ······<ns0:title>Ensure· | 71 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 84 | ······<ns0:actions> | 72 | ······<ns0:actions> |
| 85 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_p | 73 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 86 | ······</ns0:actions> | 74 | ······</ns0:actions> |
| 87 | ····</ns0:questionnaire> | 75 | ····</ns0:questionnaire> |
| 88 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | 76 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> |
| 89 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | 77 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> |
| 90 | ······<ns0:actions> | 78 | ······<ns0:actions> |
| 91 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | 79 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> |
| 92 | ······</ns0:actions> | 80 | ······</ns0:actions> |
| Offset 111, 38 lines modified | Offset 99, 50 lines modified | ||
| 111 | ····</ns0:questionnaire> | 99 | ····</ns0:questionnaire> |
| 112 | ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> | 100 | ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> |
| 113 | ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> | 101 | ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> |
| 114 | ······<ns0:actions> | 102 | ······<ns0:actions> |
| 115 | ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> | 103 | ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> |
| 116 | ······</ns0:actions> | 104 | ······</ns0:actions> |
| 117 | ····</ns0:questionnaire> | 105 | ····</ns0:questionnaire> |
| 106 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> | ||
| 107 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> | ||
| 108 | ······<ns0:actions> | ||
| 109 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref> | ||
| 110 | ······</ns0:actions> | ||
| 111 | ····</ns0:questionnaire> | ||
| 112 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1"> | ||
| 113 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title> | ||
| 114 | ······<ns0:actions> | ||
| 115 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref> | ||
| 116 | ······</ns0:actions> | ||
| 117 | ····</ns0:questionnaire> | ||
| 118 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1"> | 118 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1"> |
| 119 | ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title> | 119 | ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title> |
| 120 | ······<ns0:actions> | 120 | ······<ns0:actions> |
| 121 | ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref> | 121 | ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref> |
| 122 | ······</ns0:actions> | 122 | ······</ns0:actions> |
| 123 | ····</ns0:questionnaire> | 123 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> | 124 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> |
| 125 | ······<ns0:title>Ensure·/home·Located·On·Separate·Partition</ns0:title> | 125 | ······<ns0:title>Ensure·/home·Located·On·Separate·Partition</ns0:title> |
| 126 | ······<ns0:actions> | 126 | ······<ns0:actions> |
| 127 | ········<ns0:test_action_ref>ocil:ssg-partition_for_home_action:testaction:1</ns0:test_action_ref> | 127 | ········<ns0:test_action_ref>ocil:ssg-partition_for_home_action:testaction:1</ns0:test_action_ref> |
| 128 | ······</ns0:actions> | 128 | ······</ns0:actions> |
| 129 | ····</ns0:questionnaire> | 129 | ····</ns0:questionnaire> |
| 130 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_tmp_ocil:questionnaire:1"> | ||
| 131 | ······<ns0:title>Ensure·/tmp·Located·On·Separate·Partition</ns0:title> | ||
| 132 | ······<ns0:actions> | ||
| 133 | ········<ns0:test_action_ref>ocil:ssg-partition_for_tmp_action:testaction:1</ns0:test_action_ref> | ||
| 134 | ······</ns0:actions> | ||
| 135 | ····</ns0:questionnaire> | ||
| 136 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_var_ocil:questionnaire:1"> | 130 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_var_ocil:questionnaire:1"> |
| 137 | ······<ns0:title>Ensure·/var·Located·On·Separate·Partition</ns0:title> | 131 | ······<ns0:title>Ensure·/var·Located·On·Separate·Partition</ns0:title> |
| 138 | ······<ns0:actions> | 132 | ······<ns0:actions> |
| 139 | ········<ns0:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ns0:test_action_ref> | 133 | ········<ns0:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ns0:test_action_ref> |
| 140 | ······</ns0:actions> | 134 | ······</ns0:actions> |
| 141 | ····</ns0:questionnaire> | 135 | ····</ns0:questionnaire> |
| 136 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_tmp_ocil:questionnaire:1"> | ||
| 137 | ······<ns0:title>Ensure·/tmp·Located·On·Separate·Partition</ns0:title> | ||
| 138 | ······<ns0:actions> | ||
| 139 | ········<ns0:test_action_ref>ocil:ssg-partition_for_tmp_action:testaction:1</ns0:test_action_ref> | ||
| 140 | ······</ns0:actions> | ||
| Max diff block lines reached; 20701/29320 bytes (70.60%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:37:41</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> | 12 | ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Ubuntu·1404</ns0:platform> | 14 | ··········<ns0:platform>Ubuntu·1404</ns0:platform> |
| Offset 160, 49 lines modified | Offset 160, 67 lines modified | ||
| 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> | 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 165 | ··</metadata> | 165 | ··</metadata> |
| 166 | ··<model·system="urn:xccdf:scoring:default"/> | 166 | ··<model·system="urn:xccdf:scoring:default"/> |
| 167 | ··<Profile·id=" | 167 | ··<Profile·id="standard"> |
| 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml"> | 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Standard·System·Security·Profile·for·Ubuntu·14</title> |
| 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains· | 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·rules·to·ensure·standard·security·baseline |
| 170 | 170 | of·a·Ubuntu·14·system.·Regardless·of·your·system's·workload | |
| 171 | 171 | all·of·these·checks·should·pass.</description> | |
| 172 | ····<select·idref="partition_for_tmp"·selected="true"/> | ||
| 173 | ····<select·idref="partition_for_var"·selected="true"/> | ||
| 174 | ····<select·idref="partition_for_var_log"·selected="true"/> | ||
| 175 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 176 | ····<select·idref="partition_for_home"·selected="true"/> | ||
| 177 | ····<select·idref="package_auditd_installed"·selected="true"/> | ||
| 178 | ····<select·idref="package_cron_installed"·selected="true"/> | ||
| 179 | ····<select·idref="package_ntp_installed"·selected="true"/> | ||
| 180 | ····<select·idref="package_rsyslog_installed"·selected="true"/> | ||
| 172 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 181 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 173 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 182 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 174 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 183 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 175 | ····<select·idref="package_nis_removed"·selected="true"/> | 184 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 176 | ····<select·idref=" | 185 | ····<select·idref="package_ntpdate_removed"·selected="true"/> |
| 186 | ····<select·idref="service_auditd_enabled"·selected="true"/> | ||
| 187 | ····<select·idref="service_cron_enabled"·selected="true"/> | ||
| 188 | ····<select·idref="service_ntpd_enabled"·selected="true"/> | ||
| 189 | ····<select·idref="service_rsyslog_enabled"·selected="true"/> | ||
| 190 | ····<select·idref="sshd_set_idle_timeout"·selected="true"/> | ||
| 191 | ····<select·idref="sshd_disable_root_login"·selected="true"/> | ||
| 192 | ····<select·idref="sshd_disable_empty_passwords"·selected="true"/> | ||
| 193 | ····<select·idref="sshd_allow_only_protocol2"·selected="true"/> | ||
| 194 | ····<select·idref="sshd_set_keepalive"·selected="true"/> | ||
| 195 | ····<select·idref="rsyslog_files_ownership"·selected="true"/> | ||
| 196 | ····<select·idref="rsyslog_files_groupownership"·selected="true"/> | ||
| 197 | ····<select·idref="rsyslog_files_permissions"·selected="true"/> | ||
| 198 | ····<select·idref="rsyslog_remote_loghost"·selected="false"/> | ||
| 199 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> | ||
| 200 | ····<select·idref="file_permissions_systemmap"·selected="true"/> | ||
| 177 | ····<select·idref="file_permissions_etc_shadow"·selected="true"/> | 201 | ····<select·idref="file_permissions_etc_shadow"·selected="true"/> |
| 178 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> | 202 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> |
| 179 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> | 203 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> |
| 180 | ····<select·idref="file_permissions_etc_group"·selected="true"/> | 204 | ····<select·idref="file_permissions_etc_group"·selected="true"/> |
| 205 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> | ||
| 206 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> | ||
| 207 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 208 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 181 | ····<select·idref="remediation_functions"·selected="false"/> | 209 | ····<select·idref="remediation_functions"·selected="false"/> |
| 182 | ····<select·idref=" | 210 | ····<select·idref="apt"·selected="false"/> |
| 183 | ····<select·idref="ssh"·selected="false"/> | ||
| 184 | ····<select·idref="ssh_server"·selected="false"/> | ||
| 185 | ····<select·idref="hw-install"·selected="false"/> | 211 | ····<select·idref="hw-install"·selected="false"/> |
| 186 | ····<select·idref="logging"·selected="false"/> | ||
| 187 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 212 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 188 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> | ||
| 189 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 213 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 190 | ····<select·idref=" | 214 | ····<select·idref="sudo"·selected="false"/> |
| 191 | ····< | 215 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 192 | ····<select·idref="installation-storage-partitioning"·selected="false"/> | ||
| 193 | ····<select·idref="fs-restrict"·selected="false"/> | ||
| 194 | ····<select·idref="permission_important_state_files"·selected="false"/> | ||
| 195 | ····<select·idref="restriction"·selected="false"/> | ||
| 196 | ····<select·idref="coredumps"·selected="false"/> | ||
| 197 | ····<select·idref="enable_execshield_settings"·selected="false"/> | ||
| 198 | ··</Profile> | 216 | ··</Profile> |
| 199 | ··<Profile·id="anssi_np_nt28_ | 217 | ··<Profile·id="anssi_np_nt28_restrictive"> |
| 200 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28· | 218 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> |
| 201 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations· | 219 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> |
| 202 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | 220 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> |
| 203 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | 221 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> |
| 204 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 222 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 205 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 223 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 206 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 224 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 207 | ····<select·idref="package_nis_removed"·selected="true"/> | 225 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 208 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> | 226 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> |
| Offset 232, 16 lines modified | Offset 250, 16 lines modified | ||
| 232 | ····<select·idref="partition_for_var_log"·selected="true"/> | 250 | ····<select·idref="partition_for_var_log"·selected="true"/> |
| 233 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | 251 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> |
| 234 | ····<select·idref="partition_for_home"·selected="true"/> | 252 | ····<select·idref="partition_for_home"·selected="true"/> |
| 235 | ····<select·idref="package_auditd_installed"·selected="true"/> | 253 | ····<select·idref="package_auditd_installed"·selected="true"/> |
| 236 | ····<select·idref="package_cron_installed"·selected="true"/> | 254 | ····<select·idref="package_cron_installed"·selected="true"/> |
| 237 | ····<select·idref="service_auditd_enabled"·selected="true"/> | 255 | ····<select·idref="service_auditd_enabled"·selected="true"/> |
| 238 | ····<select·idref="service_ntpd_enabled"·selected="true"/> | 256 | ····<select·idref="service_ntpd_enabled"·selected="true"/> |
| 239 | ····<select·idref="grub2_enable_iommu_force"·selected="true"/> | ||
| 240 | ····<select·idref="remediation_functions"·selected="false"/> | 257 | ····<select·idref="remediation_functions"·selected="false"/> |
| 258 | ····<select·idref="hw-install"·selected="false"/> | ||
| 241 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 259 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 242 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 260 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 243 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 261 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 244 | ··</Profile> | 262 | ··</Profile> |
| 245 | ··<Profile·id="anssi_np_nt28_average"> | 263 | ··<Profile·id="anssi_np_nt28_average"> |
| 246 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> | 264 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> |
| 247 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> | 265 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> |
| Offset 280, 67 lines modified | Offset 298, 49 lines modified | ||
| 280 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | 298 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> |
| 281 | ····<select·idref="remediation_functions"·selected="false"/> | 299 | ····<select·idref="remediation_functions"·selected="false"/> |
| 282 | ····<select·idref="hw-install"·selected="false"/> | 300 | ····<select·idref="hw-install"·selected="false"/> |
| 283 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 301 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 284 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 302 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 285 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 303 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 286 | ··</Profile> | 304 | ··</Profile> |
| 287 | ··<Profile·id="st | 305 | ··<Profile·id="anssi_np_nt28_minimal"> |
| 288 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml"> | 306 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title> |
| 289 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains· | 307 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description> |
| 290 | 308 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | |
| 291 | 309 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | |
| 292 | ····<select·idref="partition_for_tmp"·selected="true"/> | ||
| 293 | ····<select·idref="partition_for_var"·selected="true"/> | ||
| 294 | ····<select·idref="partition_for_var_log"·selected="true"/> | ||
| 295 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 296 | ····<select·idref="partition_for_home"·selected="true"/> | ||
| 297 | ····<select·idref="package_auditd_installed"·selected="true"/> | ||
| 298 | ····<select·idref="package_cron_installed"·selected="true"/> | ||
| 299 | ····<select·idref="package_ntp_installed"·selected="true"/> | ||
| 300 | ····<select·idref="package_rsyslog_installed"·selected="true"/> | ||
| 301 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 310 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 302 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 311 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 303 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 312 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 304 | ····<select·idref="package_nis_removed"·selected="true"/> | 313 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 305 | ····<select·idref="p | 314 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> |
| 306 | ····<select·idref="service_auditd_enabled"·selected="true"/> | ||
| 307 | ····<select·idref="service_cron_enabled"·selected="true"/> | ||
| 308 | ····<select·idref="service_ntpd_enabled"·selected="true"/> | ||
| 309 | ····<select·idref="service_rsyslog_enabled"·selected="true"/> | ||
| 310 | ····<select·idref="sshd_set_idle_timeout"·selected="true"/> | ||
| Max diff block lines reached; 124021/135151 bytes (91.76%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:37:43</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>CentOS·6</ns0:title> | 12 | ········<ns0:title>CentOS·6</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> | 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"·timestamp="202 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"·timestamp="2020-04-28T11:48:06"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>202 | 31 | ········<ns2:timestamp>2020-04-27T21:37:43</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1"> | 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title> | 36 | ············<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title> |
| 37 | ············<ns0:affected·family="unix"> | 37 | ············<ns0:affected·family="unix"> |
| 38 | ··············<ns0:platform>Ubuntu·1404</ns0:platform> | 38 | ··············<ns0:platform>Ubuntu·1404</ns0:platform> |
| Offset 5548, 15 lines modified | Offset 5548, 15 lines modified | ||
| 5548 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> | 5548 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> |
| 5549 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> | 5549 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> |
| 5550 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> | 5550 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> |
| 5551 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> | 5551 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> |
| 5552 | ······</ns0:variables> | 5552 | ······</ns0:variables> |
| 5553 | ····</ns0:oval_definitions> | 5553 | ····</ns0:oval_definitions> |
| 5554 | ··</ds:component> | 5554 | ··</ds:component> |
| 5555 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"·timestamp="202 | 5555 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"·timestamp="2020-04-28T11:48:08"> |
| 5556 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 5556 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 5557 | ······<ns0:generator> | 5557 | ······<ns0:generator> |
| 5558 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 5558 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5559 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5559 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 5560 | ········<ns0:schema_version>2.0</ns0:schema_version> | 5560 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 5561 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 5561 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 5562 | ······</ns0:generator> | 5562 | ······</ns0:generator> |
| Offset 5569, 78 lines modified | Offset 5569, 66 lines modified | ||
| 5569 | ········</ns0:questionnaire> | 5569 | ········</ns0:questionnaire> |
| 5570 | ········<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> | 5570 | ········<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> |
| 5571 | ··········<ns0:title>Enable·the·auditd·service</ns0:title> | 5571 | ··········<ns0:title>Enable·the·auditd·service</ns0:title> |
| 5572 | ··········<ns0:actions> | 5572 | ··········<ns0:actions> |
| 5573 | ············<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> | 5573 | ············<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> |
| 5574 | ··········</ns0:actions> | 5574 | ··········</ns0:actions> |
| 5575 | ········</ns0:questionnaire> | 5575 | ········</ns0:questionnaire> |
| 5576 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | ||
| 5577 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | ||
| 5578 | ··········<ns0:actions> | ||
| 5579 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | ||
| 5580 | ··········</ns0:actions> | ||
| 5581 | ········</ns0:questionnaire> | ||
| 5582 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> | ||
| 5583 | ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> | ||
| 5584 | ··········<ns0:actions> | ||
| 5585 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> | ||
| 5586 | ··········</ns0:actions> | ||
| 5587 | ········</ns0:questionnaire> | ||
| 5588 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 5576 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 5589 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 5577 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 5590 | ··········<ns0:actions> | 5578 | ··········<ns0:actions> |
| 5591 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 5579 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 5592 | ··········</ns0:actions> | 5580 | ··········</ns0:actions> |
| 5593 | ········</ns0:questionnaire> | 5581 | ········</ns0:questionnaire> |
| 5594 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 5582 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> |
| 5595 | ··········<ns0:title> | 5583 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> |
| 5596 | ··········<ns0:actions> | 5584 | ··········<ns0:actions> |
| 5597 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 5585 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> |
| 5598 | ··········</ns0:actions> | 5586 | ··········</ns0:actions> |
| 5599 | ········</ns0:questionnaire> | 5587 | ········</ns0:questionnaire> |
| 5600 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 5588 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 5601 | ··········<ns0:title> | 5589 | ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 5602 | ··········<ns0:actions> | 5590 | ··········<ns0:actions> |
| 5603 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 5591 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 5604 | ··········</ns0:actions> | 5592 | ··········</ns0:actions> |
| 5605 | ········</ns0:questionnaire> | 5593 | ········</ns0:questionnaire> |
| 5606 | ········<ns0:questionnaire·id="ocil:ssg-s | 5594 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> |
| 5607 | ··········<ns0:title> | 5595 | ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> |
| 5608 | ··········<ns0:actions> | 5596 | ··········<ns0:actions> |
| 5609 | ············<ns0:test_action_ref>ocil:ssg-s | 5597 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> |
| 5610 | ··········</ns0:actions> | 5598 | ··········</ns0:actions> |
| 5611 | ········</ns0:questionnaire> | 5599 | ········</ns0:questionnaire> |
| 5612 | ········<ns0:questionnaire·id="ocil:ssg-s | 5600 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 5613 | ··········<ns0:title> | 5601 | ··········<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 5614 | ··········<ns0:actions> | 5602 | ··········<ns0:actions> |
| 5615 | ············<ns0:test_action_ref>ocil:ssg-s | 5603 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 5616 | ··········</ns0:actions> | 5604 | ··········</ns0:actions> |
| 5617 | ········</ns0:questionnaire> | 5605 | ········</ns0:questionnaire> |
| 5618 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> | 5606 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> |
| 5619 | ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> | 5607 | ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> |
| 5620 | ··········<ns0:actions> | 5608 | ··········<ns0:actions> |
| 5621 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> | 5609 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> |
| 5622 | ··········</ns0:actions> | 5610 | ··········</ns0:actions> |
| 5623 | ········</ns0:questionnaire> | 5611 | ········</ns0:questionnaire> |
| 5624 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ | 5612 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> |
| 5625 | ··········<ns0:title>Ensure·Log·Files· | 5613 | ··········<ns0:title>Ensure·System·Log·Files·Have·Correct·Permissions</ns0:title> |
| 5626 | ··········<ns0:actions> | 5614 | ··········<ns0:actions> |
| 5627 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_ | 5615 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_permissions_action:testaction:1</ns0:test_action_ref> |
| 5628 | ··········</ns0:actions> | 5616 | ··········</ns0:actions> |
| 5629 | ········</ns0:questionnaire> | 5617 | ········</ns0:questionnaire> |
| 5630 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> | 5618 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> |
| 5631 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> | 5619 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> |
| 5632 | ··········<ns0:actions> | 5620 | ··········<ns0:actions> |
| 5633 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> | 5621 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> |
| 5634 | ··········</ns0:actions> | 5622 | ··········</ns0:actions> |
| 5635 | ········</ns0:questionnaire> | 5623 | ········</ns0:questionnaire> |
| 5636 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_p | 5624 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 5637 | ··········<ns0:title>Ensure· | 5625 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 5638 | ··········<ns0:actions> | 5626 | ··········<ns0:actions> |
| 5639 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_p | 5627 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 5640 | ··········</ns0:actions> | 5628 | ··········</ns0:actions> |
| 5641 | ········</ns0:questionnaire> | 5629 | ········</ns0:questionnaire> |
| 5642 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | 5630 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> |
| 5643 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | 5631 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> |
| 5644 | ··········<ns0:actions> | 5632 | ··········<ns0:actions> |
| 5645 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | 5633 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> |
| 5646 | ··········</ns0:actions> | 5634 | ··········</ns0:actions> |
| Offset 5665, 38 lines modified | Offset 5653, 50 lines modified | ||
| 5665 | ········</ns0:questionnaire> | 5653 | ········</ns0:questionnaire> |
| 5666 | ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> | 5654 | ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> |
| 5667 | ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> | 5655 | ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> |
| 5668 | ··········<ns0:actions> | 5656 | ··········<ns0:actions> |
| 5669 | ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> | 5657 | ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> |
| 5670 | ··········</ns0:actions> | 5658 | ··········</ns0:actions> |
| 5671 | ········</ns0:questionnaire> | 5659 | ········</ns0:questionnaire> |
| 5660 | ········<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> | ||
| 5661 | ··········<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> | ||
| 5662 | ··········<ns0:actions> | ||
| Max diff block lines reached; 167917/179010 bytes (93.80%) of diff not shown. | |||
| Offset 15, 78 lines modified | Offset 15, 66 lines modified | ||
| 15 | ····</ns0:questionnaire> | 15 | ····</ns0:questionnaire> |
| 16 | ····<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> | 16 | ····<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> |
| 17 | ······<ns0:title>Enable·the·auditd·service</ns0:title> | 17 | ······<ns0:title>Enable·the·auditd·service</ns0:title> |
| 18 | ······<ns0:actions> | 18 | ······<ns0:actions> |
| 19 | ········<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> | 19 | ········<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> |
| 20 | ······</ns0:actions> | 20 | ······</ns0:actions> |
| 21 | ····</ns0:questionnaire> | 21 | ····</ns0:questionnaire> |
| 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | ||
| 23 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | ||
| 24 | ······<ns0:actions> | ||
| 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | ||
| 26 | ······</ns0:actions> | ||
| 27 | ····</ns0:questionnaire> | ||
| 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> | ||
| 29 | ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> | ||
| 30 | ······<ns0:actions> | ||
| 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> | ||
| 32 | ······</ns0:actions> | ||
| 33 | ····</ns0:questionnaire> | ||
| 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 35 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 23 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 36 | ······<ns0:actions> | 24 | ······<ns0:actions> |
| 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 38 | ······</ns0:actions> | 26 | ······</ns0:actions> |
| 39 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> |
| 41 | ······<ns0:title> | 29 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> |
| 42 | ······<ns0:actions> | 30 | ······<ns0:actions> |
| 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> |
| 44 | ······</ns0:actions> | 32 | ······</ns0:actions> |
| 45 | ····</ns0:questionnaire> | 33 | ····</ns0:questionnaire> |
| 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 47 | ······<ns0:title> | 35 | ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 48 | ······<ns0:actions> | 36 | ······<ns0:actions> |
| 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 50 | ······</ns0:actions> | 38 | ······</ns0:actions> |
| 51 | ····</ns0:questionnaire> | 39 | ····</ns0:questionnaire> |
| 52 | ····<ns0:questionnaire·id="ocil:ssg-s | 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> |
| 53 | ······<ns0:title> | 41 | ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> |
| 54 | ······<ns0:actions> | 42 | ······<ns0:actions> |
| 55 | ········<ns0:test_action_ref>ocil:ssg-s | 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> |
| 56 | ······</ns0:actions> | 44 | ······</ns0:actions> |
| 57 | ····</ns0:questionnaire> | 45 | ····</ns0:questionnaire> |
| 58 | ····<ns0:questionnaire·id="ocil:ssg-s | 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 59 | ······<ns0:title> | 47 | ······<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 60 | ······<ns0:actions> | 48 | ······<ns0:actions> |
| 61 | ········<ns0:test_action_ref>ocil:ssg-s | 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 62 | ······</ns0:actions> | 50 | ······</ns0:actions> |
| 63 | ····</ns0:questionnaire> | 51 | ····</ns0:questionnaire> |
| 64 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> | 52 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> |
| 65 | ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> | 53 | ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> |
| 66 | ······<ns0:actions> | 54 | ······<ns0:actions> |
| 67 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> | 55 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> |
| 68 | ······</ns0:actions> | 56 | ······</ns0:actions> |
| 69 | ····</ns0:questionnaire> | 57 | ····</ns0:questionnaire> |
| 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ | 58 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> |
| 71 | ······<ns0:title>Ensure·Log·Files· | 59 | ······<ns0:title>Ensure·System·Log·Files·Have·Correct·Permissions</ns0:title> |
| 72 | ······<ns0:actions> | 60 | ······<ns0:actions> |
| 73 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_ | 61 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_permissions_action:testaction:1</ns0:test_action_ref> |
| 74 | ······</ns0:actions> | 62 | ······</ns0:actions> |
| 75 | ····</ns0:questionnaire> | 63 | ····</ns0:questionnaire> |
| 76 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> | 64 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> |
| 77 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> | 65 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> |
| 78 | ······<ns0:actions> | 66 | ······<ns0:actions> |
| 79 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> | 67 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> |
| 80 | ······</ns0:actions> | 68 | ······</ns0:actions> |
| 81 | ····</ns0:questionnaire> | 69 | ····</ns0:questionnaire> |
| 82 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_p | 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 83 | ······<ns0:title>Ensure· | 71 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 84 | ······<ns0:actions> | 72 | ······<ns0:actions> |
| 85 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_p | 73 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 86 | ······</ns0:actions> | 74 | ······</ns0:actions> |
| 87 | ····</ns0:questionnaire> | 75 | ····</ns0:questionnaire> |
| 88 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | 76 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> |
| 89 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | 77 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> |
| 90 | ······<ns0:actions> | 78 | ······<ns0:actions> |
| 91 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | 79 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> |
| 92 | ······</ns0:actions> | 80 | ······</ns0:actions> |
| Offset 111, 38 lines modified | Offset 99, 50 lines modified | ||
| 111 | ····</ns0:questionnaire> | 99 | ····</ns0:questionnaire> |
| 112 | ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> | 100 | ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> |
| 113 | ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> | 101 | ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> |
| 114 | ······<ns0:actions> | 102 | ······<ns0:actions> |
| 115 | ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> | 103 | ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> |
| 116 | ······</ns0:actions> | 104 | ······</ns0:actions> |
| 117 | ····</ns0:questionnaire> | 105 | ····</ns0:questionnaire> |
| 106 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> | ||
| 107 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> | ||
| 108 | ······<ns0:actions> | ||
| 109 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref> | ||
| 110 | ······</ns0:actions> | ||
| 111 | ····</ns0:questionnaire> | ||
| 112 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1"> | ||
| 113 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title> | ||
| 114 | ······<ns0:actions> | ||
| 115 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref> | ||
| 116 | ······</ns0:actions> | ||
| 117 | ····</ns0:questionnaire> | ||
| 118 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1"> | 118 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1"> |
| 119 | ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title> | 119 | ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title> |
| 120 | ······<ns0:actions> | 120 | ······<ns0:actions> |
| 121 | ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref> | 121 | ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref> |
| 122 | ······</ns0:actions> | 122 | ······</ns0:actions> |
| 123 | ····</ns0:questionnaire> | 123 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> | 124 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> |
| 125 | ······<ns0:title>Ensure·/home·Located·On·Separate·Partition</ns0:title> | 125 | ······<ns0:title>Ensure·/home·Located·On·Separate·Partition</ns0:title> |
| 126 | ······<ns0:actions> | 126 | ······<ns0:actions> |
| 127 | ········<ns0:test_action_ref>ocil:ssg-partition_for_home_action:testaction:1</ns0:test_action_ref> | 127 | ········<ns0:test_action_ref>ocil:ssg-partition_for_home_action:testaction:1</ns0:test_action_ref> |
| 128 | ······</ns0:actions> | 128 | ······</ns0:actions> |
| 129 | ····</ns0:questionnaire> | 129 | ····</ns0:questionnaire> |
| 130 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_tmp_ocil:questionnaire:1"> | ||
| 131 | ······<ns0:title>Ensure·/tmp·Located·On·Separate·Partition</ns0:title> | ||
| 132 | ······<ns0:actions> | ||
| 133 | ········<ns0:test_action_ref>ocil:ssg-partition_for_tmp_action:testaction:1</ns0:test_action_ref> | ||
| 134 | ······</ns0:actions> | ||
| 135 | ····</ns0:questionnaire> | ||
| 136 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_var_ocil:questionnaire:1"> | 130 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_var_ocil:questionnaire:1"> |
| 137 | ······<ns0:title>Ensure·/var·Located·On·Separate·Partition</ns0:title> | 131 | ······<ns0:title>Ensure·/var·Located·On·Separate·Partition</ns0:title> |
| 138 | ······<ns0:actions> | 132 | ······<ns0:actions> |
| 139 | ········<ns0:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ns0:test_action_ref> | 133 | ········<ns0:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ns0:test_action_ref> |
| 140 | ······</ns0:actions> | 134 | ······</ns0:actions> |
| 141 | ····</ns0:questionnaire> | 135 | ····</ns0:questionnaire> |
| 136 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_tmp_ocil:questionnaire:1"> | ||
| 137 | ······<ns0:title>Ensure·/tmp·Located·On·Separate·Partition</ns0:title> | ||
| 138 | ······<ns0:actions> | ||
| 139 | ········<ns0:test_action_ref>ocil:ssg-partition_for_tmp_action:testaction:1</ns0:test_action_ref> | ||
| 140 | ······</ns0:actions> | ||
| Max diff block lines reached; 20701/29320 bytes (70.60%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:37:43</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title> | 12 | ········<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Ubuntu·1404</ns0:platform> | 14 | ··········<ns0:platform>Ubuntu·1404</ns0:platform> |
| Offset 160, 49 lines modified | Offset 160, 67 lines modified | ||
| 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> | 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 165 | ··</metadata> | 165 | ··</metadata> |
| 166 | ··<model·system="urn:xccdf:scoring:default"/> | 166 | ··<model·system="urn:xccdf:scoring:default"/> |
| 167 | ··<Profile·id=" | 167 | ··<Profile·id="standard"> |
| 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml"> | 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Standard·System·Security·Profile·for·Ubuntu·16</title> |
| 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains· | 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·rules·to·ensure·standard·security·baseline |
| 170 | 170 | of·an·Ubuntu·16·system.·Regardless·of·your·system's·workload | |
| 171 | 171 | all·of·these·checks·should·pass.</description> | |
| 172 | ····<select·idref="partition_for_tmp"·selected="true"/> | ||
| 173 | ····<select·idref="partition_for_var"·selected="true"/> | ||
| 174 | ····<select·idref="partition_for_var_log"·selected="true"/> | ||
| 175 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 176 | ····<select·idref="partition_for_home"·selected="true"/> | ||
| 177 | ····<select·idref="package_auditd_installed"·selected="true"/> | ||
| 178 | ····<select·idref="package_cron_installed"·selected="true"/> | ||
| 179 | ····<select·idref="package_ntp_installed"·selected="true"/> | ||
| 180 | ····<select·idref="package_rsyslog_installed"·selected="true"/> | ||
| 172 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 181 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 173 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 182 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 174 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 183 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 175 | ····<select·idref="package_nis_removed"·selected="true"/> | 184 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 176 | ····<select·idref=" | 185 | ····<select·idref="package_ntpdate_removed"·selected="true"/> |
| 186 | ····<select·idref="service_auditd_enabled"·selected="true"/> | ||
| 187 | ····<select·idref="service_cron_enabled"·selected="true"/> | ||
| 188 | ····<select·idref="service_ntpd_enabled"·selected="true"/> | ||
| 189 | ····<select·idref="service_rsyslog_enabled"·selected="true"/> | ||
| 190 | ····<select·idref="sshd_set_idle_timeout"·selected="true"/> | ||
| 191 | ····<select·idref="sshd_disable_root_login"·selected="true"/> | ||
| 192 | ····<select·idref="sshd_disable_empty_passwords"·selected="true"/> | ||
| 193 | ····<select·idref="sshd_allow_only_protocol2"·selected="true"/> | ||
| 194 | ····<select·idref="sshd_set_keepalive"·selected="true"/> | ||
| 195 | ····<select·idref="rsyslog_files_ownership"·selected="true"/> | ||
| 196 | ····<select·idref="rsyslog_files_groupownership"·selected="true"/> | ||
| 197 | ····<select·idref="rsyslog_files_permissions"·selected="true"/> | ||
| 198 | ····<select·idref="rsyslog_remote_loghost"·selected="false"/> | ||
| 199 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> | ||
| 200 | ····<select·idref="file_permissions_boot_system_map"·selected="true"/> | ||
| 177 | ····<select·idref="file_permissions_etc_shadow"·selected="true"/> | 201 | ····<select·idref="file_permissions_etc_shadow"·selected="true"/> |
| 178 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> | 202 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> |
| 179 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> | 203 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> |
| 180 | ····<select·idref="file_permissions_etc_group"·selected="true"/> | 204 | ····<select·idref="file_permissions_etc_group"·selected="true"/> |
| 205 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> | ||
| 206 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> | ||
| 207 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 208 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 181 | ····<select·idref="remediation_functions"·selected="false"/> | 209 | ····<select·idref="remediation_functions"·selected="false"/> |
| 182 | ····<select·idref=" | 210 | ····<select·idref="apt"·selected="false"/> |
| 183 | ····<select·idref="ssh"·selected="false"/> | ||
| 184 | ····<select·idref="ssh_server"·selected="false"/> | ||
| 185 | ····<select·idref="hw-install"·selected="false"/> | 211 | ····<select·idref="hw-install"·selected="false"/> |
| 186 | ····<select·idref="logging"·selected="false"/> | ||
| 187 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 212 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 188 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> | ||
| 189 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 213 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 190 | ····<select·idref=" | 214 | ····<select·idref="sudo"·selected="false"/> |
| 191 | ····< | 215 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 192 | ····<select·idref="installation-storage-partitioning"·selected="false"/> | ||
| 193 | ····<select·idref="fs-restrict"·selected="false"/> | ||
| 194 | ····<select·idref="permission_important_state_files"·selected="false"/> | ||
| 195 | ····<select·idref="restriction"·selected="false"/> | ||
| 196 | ····<select·idref="coredumps"·selected="false"/> | ||
| 197 | ····<select·idref="enable_execshield_settings"·selected="false"/> | ||
| 198 | ··</Profile> | 216 | ··</Profile> |
| 199 | ··<Profile·id="anssi_np_nt28_ | 217 | ··<Profile·id="anssi_np_nt28_restrictive"> |
| 200 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28· | 218 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> |
| 201 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations· | 219 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> |
| 202 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | 220 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> |
| 203 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | 221 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> |
| 204 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 222 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 205 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 223 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 206 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 224 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 207 | ····<select·idref="package_nis_removed"·selected="true"/> | 225 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 208 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> | 226 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> |
| Offset 232, 16 lines modified | Offset 250, 16 lines modified | ||
| 232 | ····<select·idref="partition_for_var_log"·selected="true"/> | 250 | ····<select·idref="partition_for_var_log"·selected="true"/> |
| 233 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | 251 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> |
| 234 | ····<select·idref="partition_for_home"·selected="true"/> | 252 | ····<select·idref="partition_for_home"·selected="true"/> |
| 235 | ····<select·idref="package_auditd_installed"·selected="true"/> | 253 | ····<select·idref="package_auditd_installed"·selected="true"/> |
| 236 | ····<select·idref="package_cron_installed"·selected="true"/> | 254 | ····<select·idref="package_cron_installed"·selected="true"/> |
| 237 | ····<select·idref="service_auditd_enabled"·selected="true"/> | 255 | ····<select·idref="service_auditd_enabled"·selected="true"/> |
| 238 | ····<select·idref="service_ntpd_enabled"·selected="true"/> | 256 | ····<select·idref="service_ntpd_enabled"·selected="true"/> |
| 239 | ····<select·idref="grub2_enable_iommu_force"·selected="true"/> | ||
| 240 | ····<select·idref="remediation_functions"·selected="false"/> | 257 | ····<select·idref="remediation_functions"·selected="false"/> |
| 258 | ····<select·idref="hw-install"·selected="false"/> | ||
| 241 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 259 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 242 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 260 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 243 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 261 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 244 | ··</Profile> | 262 | ··</Profile> |
| 245 | ··<Profile·id="anssi_np_nt28_average"> | 263 | ··<Profile·id="anssi_np_nt28_average"> |
| 246 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> | 264 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> |
| 247 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> | 265 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> |
| Offset 280, 67 lines modified | Offset 298, 49 lines modified | ||
| 280 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | 298 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> |
| 281 | ····<select·idref="remediation_functions"·selected="false"/> | 299 | ····<select·idref="remediation_functions"·selected="false"/> |
| 282 | ····<select·idref="hw-install"·selected="false"/> | 300 | ····<select·idref="hw-install"·selected="false"/> |
| 283 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 301 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 284 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 302 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 285 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 303 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 286 | ··</Profile> | 304 | ··</Profile> |
| 287 | ··<Profile·id="st | 305 | ··<Profile·id="anssi_np_nt28_minimal"> |
| 288 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml"> | 306 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title> |
| 289 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains· | 307 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description> |
| 290 | 308 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | |
| 291 | 309 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | |
| 292 | ····<select·idref="partition_for_tmp"·selected="true"/> | ||
| 293 | ····<select·idref="partition_for_var"·selected="true"/> | ||
| 294 | ····<select·idref="partition_for_var_log"·selected="true"/> | ||
| 295 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 296 | ····<select·idref="partition_for_home"·selected="true"/> | ||
| 297 | ····<select·idref="package_auditd_installed"·selected="true"/> | ||
| 298 | ····<select·idref="package_cron_installed"·selected="true"/> | ||
| 299 | ····<select·idref="package_ntp_installed"·selected="true"/> | ||
| 300 | ····<select·idref="package_rsyslog_installed"·selected="true"/> | ||
| 301 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 310 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 302 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 311 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 303 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 312 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 304 | ····<select·idref="package_nis_removed"·selected="true"/> | 313 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 305 | ····<select·idref="p | 314 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> |
| 306 | ····<select·idref="service_auditd_enabled"·selected="true"/> | ||
| 307 | ····<select·idref="service_cron_enabled"·selected="true"/> | ||
| 308 | ····<select·idref="service_ntpd_enabled"·selected="true"/> | ||
| 309 | ····<select·idref="service_rsyslog_enabled"·selected="true"/> | ||
| 310 | ····<select·idref="sshd_set_idle_timeout"·selected="true"/> | ||
| Max diff block lines reached; 124021/135165 bytes (91.76%) of diff not shown. | |||
| Offset 1, 3 lines modified | Offset 1, 3 lines modified | ||
| 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary | 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary |
| 2 | -rw-r--r--···0········0········0·····158 | 2 | -rw-r--r--···0········0········0·····1588·2018-07-26·14:58:28.000000·control.tar.xz |
| 3 | -rw-r--r--···0········0········0···153 | 3 | -rw-r--r--···0········0········0···153672·2018-07-26·14:58:28.000000·data.tar.xz |
| Offset 220, 34 lines modified | Offset 220, 34 lines modified | ||
| 220 | class·remove_telnetd·{ | 220 | class·remove_telnetd·{ |
| 221 | ··package·{·'telnetd': | 221 | ··package·{·'telnetd': |
| 222 | ····ensure·=>·'purged', | 222 | ····ensure·=>·'purged', |
| 223 | ··} | 223 | ··} |
| 224 | } | 224 | } |
| 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm495 | 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm496 | 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4961">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4961"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 232 | ··package: | 232 | ··package: |
| 233 | ····name="{{item}}" | 233 | ····name="{{item}}" |
| 234 | ····state=present | 234 | ····state=present |
| 235 | ··with_items: | 235 | ··with_items: |
| 236 | ····-·ntp | 236 | ····-·ntp |
| 237 | ··tags: | 237 | ··tags: |
| 238 | ····-·package_ntp_installed | 238 | ····-·package_ntp_installed |
| 239 | ····-·high_severity | 239 | ····-·high_severity |
| 240 | ····-·enable_strategy | 240 | ····-·enable_strategy |
| 241 | ····-·low_complexity | 241 | ····-·low_complexity |
| 242 | ····-·low_disruption | 242 | ····-·low_disruption |
| 243 | ····-·CCE- | 243 | ····-·CCE- |
| 244 | ····-·NIST-800-53-AU-8(1) | 244 | ····-·NIST-800-53-AU-8(1) |
| 245 | ····-·PCI-DSS-Req-10.4 | 245 | ····-·PCI-DSS-Req-10.4 |
| 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm496 | 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4962">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4962"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp |
| 247 | class·install_ntp·{ | 247 | class·install_ntp·{ |
| 248 | ··package·{·'ntp': | 248 | ··package·{·'ntp': |
| 249 | ····ensure·=>·'installed', | 249 | ····ensure·=>·'installed', |
| 250 | ··} | 250 | ··} |
| 251 | } | 251 | } |
| 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ssh">SSH·Server | 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ssh">SSH·Server |
| Offset 258, 37 lines modified | Offset 258, 15 lines modified | ||
| 258 | consideration·in·the·OpenSSH·configuration·writing | 258 | consideration·in·the·OpenSSH·configuration·writing |
| 259 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Debian·package·for | 259 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Debian·package·for |
| 260 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 260 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 261 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 261 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 262 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 262 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 263 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 263 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 264 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 264 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 265 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 265 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5068"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 266 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 267 | permitted.·The·default·setting·in | ||
| 268 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 269 | verified·by·ensuring·that·the·following | ||
| 270 | line·appears: | ||
| 271 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 272 | result·in·security·vulnerabilities·and | ||
| 273 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 274 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 275 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 276 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 278 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 279 | <code>/etc/ssh/sshd_config</code>: | ||
| 280 | <pre>PermitEmptyPasswords·no</pre> | ||
| 281 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 282 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 283 | remote·login·via·SSH·will·require·a·password, | ||
| 284 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 285 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 286 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 287 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5097"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 288 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 266 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 289 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 267 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 290 | <br><br> | 268 | <br><br> |
| 291 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 269 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 292 | follows: | 270 | follows: |
| 293 | <pre>ClientAliveInterval·<b>interval</b></pre> | 271 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 294 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 272 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 298, 23 lines modified | Offset 276, 45 lines modified | ||
| 298 | shell,·that·value·will·preempt·any·SSH | 276 | shell,·that·value·will·preempt·any·SSH |
| 299 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 277 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 300 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 278 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 301 | guards·against·compromises·one·system·leading·trivially | 279 | guards·against·compromises·one·system·leading·trivially |
| 302 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 280 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 303 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 281 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 304 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 282 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 305 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 283 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·id="guide-tree-leaf-idm5091"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">Allow·Only·SSH·Protocol·2 |
| 284 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 285 | permitted.·The·default·setting·in | ||
| 286 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 287 | verified·by·ensuring·that·the·following | ||
| 288 | line·appears: | ||
| 289 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 290 | result·in·security·vulnerabilities·and | ||
| 291 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 292 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 293 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 294 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5106"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count | ||
| 306 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, | 295 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 307 | edit·<code>/etc/ssh/sshd_config</code>·as | 296 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 308 | follows: | 297 | follows: |
| 309 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> | 298 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 310 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 299 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 311 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 300 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 312 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 301 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 313 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_ | 302 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5122"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords |
| 303 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 304 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 305 | <code>/etc/ssh/sshd_config</code>: | ||
| 306 | <pre>PermitEmptyPasswords·no</pre> | ||
| 307 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 308 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 309 | remote·login·via·SSH·will·require·a·password, | ||
| 310 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 311 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 312 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 313 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login"·id="guide-tree-leaf-idm5136"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login">Disable·SSH·Root·Login | ||
| 314 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_root_login">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·root·user·should·never·be·allowed·to·login·to·a | 314 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_root_login">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·root·user·should·never·be·allowed·to·login·to·a |
| 315 | system·directly·over·a·network. | 315 | system·directly·over·a·network. |
| 316 | To·disable·root·login·via·SSH,·add·or·correct·the·following·line | 316 | To·disable·root·login·via·SSH,·add·or·correct·the·following·line |
| 317 | in·<code>/etc/ssh/sshd_config</code>: | 317 | in·<code>/etc/ssh/sshd_config</code>: |
| 318 | <pre>PermitRootLogin·no</pre></p><span·class="label·label-primary">Rationale:</span><p>Permitting·direct·root·login·reduces·auditable·information·about·who·ran | 318 | <pre>PermitRootLogin·no</pre></p><span·class="label·label-primary">Rationale:</span><p>Permitting·direct·root·login·reduces·auditable·information·about·who·ran |
| 319 | privileged·commands·on·the·system | 319 | privileged·commands·on·the·system |
| 320 | and·also·allows·direct·attack·attempts·on·root's·password.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 320 | and·also·allows·direct·attack·attempts·on·root's·password.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 373, 57 lines modified | Offset 373, 57 lines modified | ||
| 373 | news.notice·····················-/var/log/news/news.notice | 373 | news.notice·····················-/var/log/news/news.notice |
| 374 | </pre> | 374 | </pre> |
| 375 | See·the·man·page·<code>rsyslog.conf(5)</code>·for·more·information. | 375 | See·the·man·page·<code>rsyslog.conf(5)</code>·for·more·information. |
| 376 | <i>Note·that·the·<code>rsyslog</code>·daemon·is·configured·to·use·traditional·timestamping | 376 | <i>Note·that·the·<code>rsyslog</code>·daemon·is·configured·to·use·traditional·timestamping |
| 377 | to·be·understood·by·any·log·processing·program.·For·high·precision·timestamping, | 377 | to·be·understood·by·any·log·processing·program.·For·high·precision·timestamping, |
| 378 | comment·the·following·line·in·<code>/etc/rsyslog.conf</code>: | 378 | comment·the·following·line·in·<code>/etc/rsyslog.conf</code>: |
| 379 | <pre>$·ActionFileDefaultTemplate·RSYSLOG_TraditionalFileFormat</pre> | 379 | <pre>$·ActionFileDefaultTemplate·RSYSLOG_TraditionalFileFormat</pre> |
| 380 | </i></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ | 380 | </i></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·id="guide-tree-leaf-idm5244"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">Ensure·System·Log·Files·Have·Correct·Permissions |
| Max diff block lines reached; 20973/47772 bytes (43.90%) of diff not shown. | |||
| Offset 220, 62 lines modified | Offset 220, 62 lines modified | ||
| 220 | class·remove_telnetd·{ | 220 | class·remove_telnetd·{ |
| 221 | ··package·{·'telnetd': | 221 | ··package·{·'telnetd': |
| 222 | ····ensure·=>·'purged', | 222 | ····ensure·=>·'purged', |
| 223 | ··} | 223 | ··} |
| 224 | } | 224 | } |
| 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 229 | ························ | 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4961">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4961"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 232 | ··package: | 232 | ··package: |
| 233 | ····name="{{item}}" | 233 | ····name="{{item}}" |
| 234 | ····state=present | 234 | ····state=present |
| 235 | ··with_items: | 235 | ··with_items: |
| 236 | ····-· | 236 | ····-·ntp |
| 237 | ··tags: | 237 | ··tags: |
| 238 | ····-·package_ | 238 | ····-·package_ntp_installed |
| 239 | ····-· | 239 | ····-·high_severity |
| 240 | ····-·enable_strategy | 240 | ····-·enable_strategy |
| 241 | ····-·low_complexity | 241 | ····-·low_complexity |
| 242 | ····-·low_disruption | 242 | ····-·low_disruption |
| 243 | ····-·CCE- | 243 | ····-·CCE- |
| 244 | ····-·NIST-800-53- | 244 | ····-·NIST-800-53-AU-8(1) |
| 245 | 245 | ····-·PCI-DSS-Req-10.4 | |
| 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4962">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4962"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 246 | class·install_ | 247 | class·install_ntp·{ |
| 247 | ··package·{·' | 248 | ··package·{·'ntp': |
| 248 | ····ensure·=>·'installed', | 249 | ····ensure·=>·'installed', |
| 249 | ··} | 250 | ··} |
| 250 | } | 251 | } |
| 251 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed"·id="guide-tree-leaf-idm4965"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_cron_installed">Install·the·cron·service |
| 252 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 253 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 253 | ························ | 254 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 254 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 255 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 255 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 256 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4972">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4972"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·cron·is·installed |
| 256 | ··package: | 257 | ··package: |
| 257 | ····name="{{item}}" | 258 | ····name="{{item}}" |
| 258 | ····state=present | 259 | ····state=present |
| 259 | ··with_items: | 260 | ··with_items: |
| 260 | ····-· | 261 | ····-·cron |
| 261 | ··tags: | 262 | ··tags: |
| 262 | ····-·package_ | 263 | ····-·package_cron_installed |
| 263 | ····-· | 264 | ····-·medium_severity |
| 264 | ····-·enable_strategy | 265 | ····-·enable_strategy |
| 265 | ····-·low_complexity | 266 | ····-·low_complexity |
| 266 | ····-·low_disruption | 267 | ····-·low_disruption |
| 267 | ····-·CCE- | 268 | ····-·CCE- |
| 268 | ····-·NIST-800-53- | 269 | ····-·NIST-800-53-CM-7 |
| 269 | ····-· | 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4973">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4973"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_cron |
| 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4964">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4964"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 271 | class·install_ | 271 | class·install_cron·{ |
| 272 | ··package·{·' | 272 | ··package·{·'cron': |
| 273 | ····ensure·=>·'installed', | 273 | ····ensure·=>·'installed', |
| 274 | ··} | 274 | ··} |
| 275 | } | 275 | } |
| 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4976"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service | 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4976"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service |
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| Offset 352, 37 lines modified | Offset 352, 15 lines modified | ||
| 352 | consideration·in·the·OpenSSH·configuration·writing | 352 | consideration·in·the·OpenSSH·configuration·writing |
| 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Debian·package·for | 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Debian·package·for |
| 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5068"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 361 | permitted.·The·default·setting·in | ||
| 362 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 363 | verified·by·ensuring·that·the·following | ||
| 364 | line·appears: | ||
| 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 366 | result·in·security·vulnerabilities·and | ||
| 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 372 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 373 | <code>/etc/ssh/sshd_config</code>: | ||
| 374 | <pre>PermitEmptyPasswords·no</pre> | ||
| 375 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 376 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 377 | remote·login·via·SSH·will·require·a·password, | ||
| 378 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 380 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 381 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5097"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 382 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 383 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 361 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 384 | <br><br> | 362 | <br><br> |
| 385 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 363 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 386 | follows: | 364 | follows: |
| 387 | <pre>ClientAliveInterval·<b>interval</b></pre> | 365 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 388 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 366 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 392, 23 lines modified | Offset 370, 45 lines modified | ||
| 392 | shell,·that·value·will·preempt·any·SSH | 370 | shell,·that·value·will·preempt·any·SSH |
| 393 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 371 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 394 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 372 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 395 | guards·against·compromises·one·system·leading·trivially | 373 | guards·against·compromises·one·system·leading·trivially |
| 396 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 374 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 397 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 375 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 398 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 376 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 399 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 377 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·id="guide-tree-leaf-idm5091"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">Allow·Only·SSH·Protocol·2 |
| 378 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 379 | permitted.·The·default·setting·in | ||
| 380 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 381 | verified·by·ensuring·that·the·following | ||
| 382 | line·appears: | ||
| 383 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 384 | result·in·security·vulnerabilities·and | ||
| 385 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 386 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 387 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 388 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5106"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count | ||
| 400 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, | 389 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 401 | edit·<code>/etc/ssh/sshd_config</code>·as | 390 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 402 | follows: | 391 | follows: |
| 403 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> | 392 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 404 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 393 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 405 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 394 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| Max diff block lines reached; 27681/56123 bytes (49.32%) of diff not shown. | |||
| Offset 220, 62 lines modified | Offset 220, 62 lines modified | ||
| 220 | class·remove_telnetd·{ | 220 | class·remove_telnetd·{ |
| 221 | ··package·{·'telnetd': | 221 | ··package·{·'telnetd': |
| 222 | ····ensure·=>·'purged', | 222 | ····ensure·=>·'purged', |
| 223 | ··} | 223 | ··} |
| 224 | } | 224 | } |
| 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 227 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 228 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 229 | ························ | 229 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 230 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 231 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4961">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4961"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 232 | ··package: | 232 | ··package: |
| 233 | ····name="{{item}}" | 233 | ····name="{{item}}" |
| 234 | ····state=present | 234 | ····state=present |
| 235 | ··with_items: | 235 | ··with_items: |
| 236 | ····-· | 236 | ····-·ntp |
| 237 | ··tags: | 237 | ··tags: |
| 238 | ····-·package_ | 238 | ····-·package_ntp_installed |
| 239 | ····-· | 239 | ····-·high_severity |
| 240 | ····-·enable_strategy | 240 | ····-·enable_strategy |
| 241 | ····-·low_complexity | 241 | ····-·low_complexity |
| 242 | ····-·low_disruption | 242 | ····-·low_disruption |
| 243 | ····-·CCE- | 243 | ····-·CCE- |
| 244 | ····-·NIST-800-53- | 244 | ····-·NIST-800-53-AU-8(1) |
| 245 | 245 | ····-·PCI-DSS-Req-10.4 | |
| 246 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4962">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4962"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 246 | class·install_ | 247 | class·install_ntp·{ |
| 247 | ··package·{·' | 248 | ··package·{·'ntp': |
| 248 | ····ensure·=>·'installed', | 249 | ····ensure·=>·'installed', |
| 249 | ··} | 250 | ··} |
| 250 | } | 251 | } |
| 251 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed"·id="guide-tree-leaf-idm4965"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_cron_installed">Install·the·cron·service |
| 252 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 253 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 253 | ························ | 254 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 254 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 255 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 255 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT | 256 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4972">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4972"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·cron·is·installed |
| 256 | ··package: | 257 | ··package: |
| 257 | ····name="{{item}}" | 258 | ····name="{{item}}" |
| 258 | ····state=present | 259 | ····state=present |
| 259 | ··with_items: | 260 | ··with_items: |
| 260 | ····-· | 261 | ····-·cron |
| 261 | ··tags: | 262 | ··tags: |
| 262 | ····-·package_ | 263 | ····-·package_cron_installed |
| 263 | ····-· | 264 | ····-·medium_severity |
| 264 | ····-·enable_strategy | 265 | ····-·enable_strategy |
| 265 | ····-·low_complexity | 266 | ····-·low_complexity |
| 266 | ····-·low_disruption | 267 | ····-·low_disruption |
| 267 | ····-·CCE- | 268 | ····-·CCE- |
| 268 | ····-·NIST-800-53- | 269 | ····-·NIST-800-53-CM-7 |
| 269 | ····-· | 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4973">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4973"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_cron |
| 270 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4964">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4964"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp | ||
| 271 | class·install_ | 271 | class·install_cron·{ |
| 272 | ··package·{·' | 272 | ··package·{·'cron': |
| 273 | ····ensure·=>·'installed', | 273 | ····ensure·=>·'installed', |
| 274 | ··} | 274 | ··} |
| 275 | } | 275 | } |
| 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4976"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service | 276 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4976"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service |
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 278 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 279 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| Offset 352, 37 lines modified | Offset 352, 15 lines modified | ||
| 352 | consideration·in·the·OpenSSH·configuration·writing | 352 | consideration·in·the·OpenSSH·configuration·writing |
| 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Debian·package·for | 353 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Debian·package·for |
| 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 354 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 355 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 356 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 357 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 358 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 359 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5068"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 361 | permitted.·The·default·setting·in | ||
| 362 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 363 | verified·by·ensuring·that·the·following | ||
| 364 | line·appears: | ||
| 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 366 | result·in·security·vulnerabilities·and | ||
| 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 372 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 373 | <code>/etc/ssh/sshd_config</code>: | ||
| 374 | <pre>PermitEmptyPasswords·no</pre> | ||
| 375 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 376 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 377 | remote·login·via·SSH·will·require·a·password, | ||
| 378 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 380 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 381 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5097"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 382 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 360 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 383 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 361 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 384 | <br><br> | 362 | <br><br> |
| 385 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 363 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 386 | follows: | 364 | follows: |
| 387 | <pre>ClientAliveInterval·<b>interval</b></pre> | 365 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 388 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 366 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 392, 23 lines modified | Offset 370, 45 lines modified | ||
| 392 | shell,·that·value·will·preempt·any·SSH | 370 | shell,·that·value·will·preempt·any·SSH |
| 393 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 371 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 394 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 372 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 395 | guards·against·compromises·one·system·leading·trivially | 373 | guards·against·compromises·one·system·leading·trivially |
| 396 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 374 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 397 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 375 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 398 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 376 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 399 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 377 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2"·id="guide-tree-leaf-idm5091"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">Allow·Only·SSH·Protocol·2 |
| 378 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 379 | permitted.·The·default·setting·in | ||
| 380 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 381 | verified·by·ensuring·that·the·following | ||
| 382 | line·appears: | ||
| 383 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 384 | result·in·security·vulnerabilities·and | ||
| 385 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 386 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 387 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 388 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5106"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count | ||
| 400 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, | 389 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 401 | edit·<code>/etc/ssh/sshd_config</code>·as | 390 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 402 | follows: | 391 | follows: |
| 403 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> | 392 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 404 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 393 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 405 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 394 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| Max diff block lines reached; 27681/56123 bytes (49.32%) of diff not shown. | |||
| Offset 222, 84 lines modified | Offset 222, 84 lines modified | ||
| 222 | class·remove_telnetd·{ | 222 | class·remove_telnetd·{ |
| 223 | ··package·{·'telnetd': | 223 | ··package·{·'telnetd': |
| 224 | ····ensure·=>·'purged', | 224 | ····ensure·=>·'purged', |
| 225 | ··} | 225 | ··} |
| 226 | } | 226 | } |
| 227 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 227 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 228 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 228 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 229 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 229 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4943"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service |
| 230 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ | 230 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 231 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 231 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 232 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 232 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 233 | ············<a·href="http:// | 233 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4949">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4949"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·cron |
| 234 | ·· | 234 | ··service: |
| 235 | ····name="{{item}}" | 235 | ····name="{{item}}" |
| 236 | ···· | 236 | ····enabled="yes" |
| 237 | ····state="started" | ||
| 237 | ··with_items: | 238 | ··with_items: |
| 238 | ····-·cron | 239 | ····-·cron |
| 239 | ··tags: | 240 | ··tags: |
| 240 | ····-· | 241 | ····-·service_cron_enabled |
| 241 | ····-·medium_severity | 242 | ····-·medium_severity |
| 242 | ····-·enable_strategy | 243 | ····-·enable_strategy |
| 243 | ····-·low_complexity | 244 | ····-·low_complexity |
| 244 | ····-·low_disruption | 245 | ····-·low_disruption |
| 245 | ····-·CCE- | 246 | ····-·CCE- |
| 246 | ····-·NIST-800-53-CM-7 | 247 | ····-·NIST-800-53-CM-7 |
| 247 | </code></pre></div>< | 248 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 248 | class·install_cron·{ | ||
| 249 | ··package·{·'cron': | ||
| 250 | ····ensure·=>·'installed', | ||
| 251 | ··} | ||
| 252 | } | ||
| 253 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4954"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | ||
| 254 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 249 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 255 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 250 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 256 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 251 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 257 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm496 | 252 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4961">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4961"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·ntp·is·installed |
| 258 | ··package: | 253 | ··package: |
| 259 | ····name="{{item}}" | 254 | ····name="{{item}}" |
| 260 | ····state=present | 255 | ····state=present |
| 261 | ··with_items: | 256 | ··with_items: |
| 262 | ····-·ntp | 257 | ····-·ntp |
| 263 | ··tags: | 258 | ··tags: |
| 264 | ····-·package_ntp_installed | 259 | ····-·package_ntp_installed |
| 265 | ····-·high_severity | 260 | ····-·high_severity |
| 266 | ····-·enable_strategy | 261 | ····-·enable_strategy |
| 267 | ····-·low_complexity | 262 | ····-·low_complexity |
| 268 | ····-·low_disruption | 263 | ····-·low_disruption |
| 269 | ····-·CCE- | 264 | ····-·CCE- |
| 270 | ····-·NIST-800-53-AU-8(1) | 265 | ····-·NIST-800-53-AU-8(1) |
| 271 | ····-·PCI-DSS-Req-10.4 | 266 | ····-·PCI-DSS-Req-10.4 |
| 272 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm496 | 267 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4962">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4962"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_ntp |
| 273 | class·install_ntp·{ | 268 | class·install_ntp·{ |
| 274 | ··package·{·'ntp': | 269 | ··package·{·'ntp': |
| 275 | ····ensure·=>·'installed', | 270 | ····ensure·=>·'installed', |
| 276 | ··} | 271 | ··} |
| 277 | } | 272 | } |
| 278 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 273 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed"·id="guide-tree-leaf-idm4965"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_cron_installed">Install·the·cron·service |
| 279 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ | 274 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 280 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 275 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 281 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 276 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 282 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm497 | 277 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4972">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4972"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·cron·is·installed |
| 283 | ·· | 278 | ··package: |
| 284 | ····name="{{item}}" | 279 | ····name="{{item}}" |
| 285 | ···· | 280 | ····state=present |
| 286 | ····state="started" | ||
| 287 | ··with_items: | 281 | ··with_items: |
| 288 | ····-·cron | 282 | ····-·cron |
| 289 | ··tags: | 283 | ··tags: |
| 290 | ····-· | 284 | ····-·package_cron_installed |
| 291 | ····-·medium_severity | 285 | ····-·medium_severity |
| 292 | ····-·enable_strategy | 286 | ····-·enable_strategy |
| 293 | ····-·low_complexity | 287 | ····-·low_complexity |
| 294 | ····-·low_disruption | 288 | ····-·low_disruption |
| 295 | ····-·CCE- | 289 | ····-·CCE- |
| 296 | ····-·NIST-800-53-CM-7 | 290 | ····-·NIST-800-53-CM-7 |
| 291 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4973">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4973"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_cron | ||
| 292 | class·install_cron·{ | ||
| 293 | ··package·{·'cron': | ||
| 294 | ····ensure·=>·'installed', | ||
| 295 | ··} | ||
| 296 | } | ||
| 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4976"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service | 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_auditd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_auditd_installed"·id="guide-tree-leaf-idm4976"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_auditd_installed">install·the·auditd·service |
| 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_auditd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 299 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 299 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 300 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 300 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 301 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4982">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4982"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·auditd·is·installed | 301 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4982">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4982"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·auditd·is·installed |
| 302 | ··package: | 302 | ··package: |
| 303 | ····name="{{item}}" | 303 | ····name="{{item}}" |
| Offset 373, 37 lines modified | Offset 373, 15 lines modified | ||
| 373 | consideration·in·the·OpenSSH·configuration·writing | 373 | consideration·in·the·OpenSSH·configuration·writing |
| 374 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Debian·package·for | 374 | More·detailed·information·is·available·from·the·OpenSSH·project's·website·<a·href="http://www.openssh.org">http://www.openssh.org</a>.·The·Debian·package·for |
| 375 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 375 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 376 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 376 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 377 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 377 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 378 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 378 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 379 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 379 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 380 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 380 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5068"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 381 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Only·SSH·protocol·version·2·connections·should·be | ||
| 382 | permitted.·The·default·setting·in | ||
| 383 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | ||
| 384 | verified·by·ensuring·that·the·following | ||
| 385 | line·appears: | ||
| 386 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | ||
| 387 | result·in·security·vulnerabilities·and | ||
| 388 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 389 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 390 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 391 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords | ||
| 392 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with | ||
| 393 | empty·passwords,·add·or·correct·the·following·line·in | ||
| 394 | <code>/etc/ssh/sshd_config</code>: | ||
| 395 | <pre>PermitEmptyPasswords·no</pre> | ||
| 396 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | ||
| 397 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | ||
| 398 | remote·login·via·SSH·will·require·a·password, | ||
| 399 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 400 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 401 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 402 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5097"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval | ||
| 403 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 381 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 404 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 382 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 405 | <br><br> | 383 | <br><br> |
| 406 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 384 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| Max diff block lines reached; 32934/58295 bytes (56.50%) of diff not shown. | |||
| Offset 106, 44 lines modified | Offset 106, 44 lines modified | ||
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| 112 | ···· | 112 | ···· |
| 113 | ····-·name:·Ensure· | 113 | ····-·name:·Ensure·ntp·is·installed |
| 114 | ······package: | 114 | ······package: |
| 115 | ········name="{{item}}" | 115 | ········name="{{item}}" |
| 116 | ········state=present | 116 | ········state=present |
| 117 | ······with_items: | 117 | ······with_items: |
| 118 | ········-· | 118 | ········-·ntp |
| 119 | ······tags: | 119 | ······tags: |
| 120 | ········-·package_ | 120 | ········-·package_ntp_installed |
| 121 | ········-· | 121 | ········-·high_severity |
| 122 | ········-·enable_strategy | 122 | ········-·enable_strategy |
| 123 | ········-·low_complexity | 123 | ········-·low_complexity |
| 124 | ········-·low_disruption | 124 | ········-·low_disruption |
| 125 | ········-·CCE- | 125 | ········-·CCE- |
| 126 | ········-·NIST-800-53- | 126 | ········-·NIST-800-53-AU-8(1) |
| 127 | ········-·PCI-DSS-Req-10.4 | ||
| 127 | ···· | 128 | ···· |
| 128 | ····-·name:·Ensure· | 129 | ····-·name:·Ensure·cron·is·installed |
| 129 | ······package: | 130 | ······package: |
| 130 | ········name="{{item}}" | 131 | ········name="{{item}}" |
| 131 | ········state=present | 132 | ········state=present |
| 132 | ······with_items: | 133 | ······with_items: |
| 133 | ········-· | 134 | ········-·cron |
| 134 | ······tags: | 135 | ······tags: |
| 135 | ········-·package_ | 136 | ········-·package_cron_installed |
| 136 | ········-· | 137 | ········-·medium_severity |
| 137 | ········-·enable_strategy | 138 | ········-·enable_strategy |
| 138 | ········-·low_complexity | 139 | ········-·low_complexity |
| 139 | ········-·low_disruption | 140 | ········-·low_disruption |
| 140 | ········-·CCE- | 141 | ········-·CCE- |
| 141 | ········-·NIST-800-53- | 142 | ········-·NIST-800-53-CM-7 |
| 142 | ········-·PCI-DSS-Req-10.4 | ||
| 143 | ···· | 143 | ···· |
| 144 | ····-·name:·Ensure·auditd·is·installed | 144 | ····-·name:·Ensure·auditd·is·installed |
| 145 | ······package: | 145 | ······package: |
| 146 | ········name="{{item}}" | 146 | ········name="{{item}}" |
| 147 | ········state=present | 147 | ········state=present |
| 148 | ······with_items: | 148 | ······with_items: |
| 149 | ········-·auditd | 149 | ········-·auditd |
| Offset 106, 44 lines modified | Offset 106, 44 lines modified | ||
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| 112 | ···· | 112 | ···· |
| 113 | ····-·name:·Ensure· | 113 | ····-·name:·Ensure·ntp·is·installed |
| 114 | ······package: | 114 | ······package: |
| 115 | ········name="{{item}}" | 115 | ········name="{{item}}" |
| 116 | ········state=present | 116 | ········state=present |
| 117 | ······with_items: | 117 | ······with_items: |
| 118 | ········-· | 118 | ········-·ntp |
| 119 | ······tags: | 119 | ······tags: |
| 120 | ········-·package_ | 120 | ········-·package_ntp_installed |
| 121 | ········-· | 121 | ········-·high_severity |
| 122 | ········-·enable_strategy | 122 | ········-·enable_strategy |
| 123 | ········-·low_complexity | 123 | ········-·low_complexity |
| 124 | ········-·low_disruption | 124 | ········-·low_disruption |
| 125 | ········-·CCE- | 125 | ········-·CCE- |
| 126 | ········-·NIST-800-53- | 126 | ········-·NIST-800-53-AU-8(1) |
| 127 | ········-·PCI-DSS-Req-10.4 | ||
| 127 | ···· | 128 | ···· |
| 128 | ····-·name:·Ensure· | 129 | ····-·name:·Ensure·cron·is·installed |
| 129 | ······package: | 130 | ······package: |
| 130 | ········name="{{item}}" | 131 | ········name="{{item}}" |
| 131 | ········state=present | 132 | ········state=present |
| 132 | ······with_items: | 133 | ······with_items: |
| 133 | ········-· | 134 | ········-·cron |
| 134 | ······tags: | 135 | ······tags: |
| 135 | ········-·package_ | 136 | ········-·package_cron_installed |
| 136 | ········-· | 137 | ········-·medium_severity |
| 137 | ········-·enable_strategy | 138 | ········-·enable_strategy |
| 138 | ········-·low_complexity | 139 | ········-·low_complexity |
| 139 | ········-·low_disruption | 140 | ········-·low_disruption |
| 140 | ········-·CCE- | 141 | ········-·CCE- |
| 141 | ········-·NIST-800-53- | 142 | ········-·NIST-800-53-CM-7 |
| 142 | ········-·PCI-DSS-Req-10.4 | ||
| 143 | ···· | 143 | ···· |
| 144 | ····-·name:·Ensure·auditd·is·installed | 144 | ····-·name:·Ensure·auditd·is·installed |
| 145 | ······package: | 145 | ······package: |
| 146 | ········name="{{item}}" | 146 | ········name="{{item}}" |
| 147 | ········state=present | 147 | ········state=present |
| 148 | ······with_items: | 148 | ······with_items: |
| 149 | ········-·auditd | 149 | ········-·auditd |
| Offset 108, 22 lines modified | Offset 108, 23 lines modified | ||
| 108 | ········-·disable_strategy | 108 | ········-·disable_strategy |
| 109 | ········-·low_complexity | 109 | ········-·low_complexity |
| 110 | ········-·low_disruption | 110 | ········-·low_disruption |
| 111 | ········-·CCE- | 111 | ········-·CCE- |
| 112 | ········-·NIST-800-53-AC-17(8) | 112 | ········-·NIST-800-53-AC-17(8) |
| 113 | ········-·NIST-800-53-CM-7 | 113 | ········-·NIST-800-53-CM-7 |
| 114 | ···· | 114 | ···· |
| 115 | ····-·name:·En | 115 | ····-·name:·Enable·service·cron |
| 116 | ······ | 116 | ······service: |
| 117 | ········name="{{item}}" | 117 | ········name="{{item}}" |
| 118 | ········ | 118 | ········enabled="yes" |
| 119 | ········state="started" | ||
| 119 | ······with_items: | 120 | ······with_items: |
| 120 | ········-·cron | 121 | ········-·cron |
| 121 | ······tags: | 122 | ······tags: |
| 122 | ········-· | 123 | ········-·service_cron_enabled |
| 123 | ········-·medium_severity | 124 | ········-·medium_severity |
| 124 | ········-·enable_strategy | 125 | ········-·enable_strategy |
| 125 | ········-·low_complexity | 126 | ········-·low_complexity |
| 126 | ········-·low_disruption | 127 | ········-·low_disruption |
| 127 | ········-·CCE- | 128 | ········-·CCE- |
| 128 | ········-·NIST-800-53-CM-7 | 129 | ········-·NIST-800-53-CM-7 |
| 129 | ···· | 130 | ···· |
| Offset 139, 23 lines modified | Offset 140, 22 lines modified | ||
| 139 | ········-·enable_strategy | 140 | ········-·enable_strategy |
| 140 | ········-·low_complexity | 141 | ········-·low_complexity |
| 141 | ········-·low_disruption | 142 | ········-·low_disruption |
| 142 | ········-·CCE- | 143 | ········-·CCE- |
| 143 | ········-·NIST-800-53-AU-8(1) | 144 | ········-·NIST-800-53-AU-8(1) |
| 144 | ········-·PCI-DSS-Req-10.4 | 145 | ········-·PCI-DSS-Req-10.4 |
| 145 | ···· | 146 | ···· |
| 146 | ····-·name:·En | 147 | ····-·name:·Ensure·cron·is·installed |
| 147 | ······ | 148 | ······package: |
| 148 | ········name="{{item}}" | 149 | ········name="{{item}}" |
| 149 | ········ | 150 | ········state=present |
| 150 | ········state="started" | ||
| 151 | ······with_items: | 151 | ······with_items: |
| 152 | ········-·cron | 152 | ········-·cron |
| 153 | ······tags: | 153 | ······tags: |
| 154 | ········-· | 154 | ········-·package_cron_installed |
| 155 | ········-·medium_severity | 155 | ········-·medium_severity |
| 156 | ········-·enable_strategy | 156 | ········-·enable_strategy |
| 157 | ········-·low_complexity | 157 | ········-·low_complexity |
| 158 | ········-·low_disruption | 158 | ········-·low_disruption |
| 159 | ········-·CCE- | 159 | ········-·CCE- |
| 160 | ········-·NIST-800-53-CM-7 | 160 | ········-·NIST-800-53-CM-7 |
| 161 | ···· | 161 | ···· |
| Offset 90, 40 lines modified | Offset 90, 40 lines modified | ||
| 90 | #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed' | 90 | #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed' |
| 91 | ############################################################################### | 91 | ############################################################################### |
| 92 | (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'") | 92 | (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'") |
| 93 | #·FIX·FOR·THIS·RULE·IS·MISSING | 93 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 94 | #·END·fix·for·'package_ntp_installed' | 94 | #·END·fix·for·'package_ntp_installed' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | #·BEGIN·fix·(7·/·37)·for·'sshd_ | 96 | #·BEGIN·fix·(7·/·37)·for·'sshd_set_idle_timeout' |
| 97 | ############################################################################### | 97 | ############################################################################### |
| 98 | (>&2·echo·"Remediating·rule·7/37:·'sshd_ | 98 | (>&2·echo·"Remediating·rule·7/37:·'sshd_set_idle_timeout'") |
| 99 | #·FIX·FOR·THIS·RULE·IS·MISSING | 99 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 100 | #·END·fix·for·'sshd_ | 100 | #·END·fix·for·'sshd_set_idle_timeout' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | #·BEGIN·fix·(8·/·37)·for·'sshd_ | 102 | #·BEGIN·fix·(8·/·37)·for·'sshd_allow_only_protocol2' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule·8/37:·'sshd_ | 104 | (>&2·echo·"Remediating·rule·8/37:·'sshd_allow_only_protocol2'") |
| 105 | #·FIX·FOR·THIS·RULE·IS·MISSING | 105 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 106 | #·END·fix·for·'sshd_ | 106 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 107 | ############################################################################### | 107 | ############################################################################### |
| 108 | #·BEGIN·fix·(9·/·37)·for·'sshd_set_ | 108 | #·BEGIN·fix·(9·/·37)·for·'sshd_set_keepalive' |
| 109 | ############################################################################### | 109 | ############################################################################### |
| 110 | (>&2·echo·"Remediating·rule·9/37:·'sshd_set_ | 110 | (>&2·echo·"Remediating·rule·9/37:·'sshd_set_keepalive'") |
| 111 | #·FIX·FOR·THIS·RULE·IS·MISSING | 111 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 112 | #·END·fix·for·'sshd_set_ | 112 | #·END·fix·for·'sshd_set_keepalive' |
| 113 | ############################################################################### | 113 | ############################################################################### |
| 114 | #·BEGIN·fix·(10·/·37)·for·'sshd_set_ | 114 | #·BEGIN·fix·(10·/·37)·for·'sshd_disable_empty_passwords' |
| 115 | ############################################################################### | 115 | ############################################################################### |
| 116 | (>&2·echo·"Remediating·rule·10/37:·'sshd_set_ | 116 | (>&2·echo·"Remediating·rule·10/37:·'sshd_disable_empty_passwords'") |
| 117 | #·FIX·FOR·THIS·RULE·IS·MISSING | 117 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 118 | #·END·fix·for·'sshd_set_ | 118 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | #·BEGIN·fix·(11·/·37)·for·'sshd_disable_root_login' | 120 | #·BEGIN·fix·(11·/·37)·for·'sshd_disable_root_login' |
| 121 | ############################################################################### | 121 | ############################################################################### |
| 122 | (>&2·echo·"Remediating·rule·11/37:·'sshd_disable_root_login'") | 122 | (>&2·echo·"Remediating·rule·11/37:·'sshd_disable_root_login'") |
| 123 | #·FIX·FOR·THIS·RULE·IS·MISSING | 123 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 124 | #·END·fix·for·'sshd_disable_root_login' | 124 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 139, 33 lines modified | Offset 139, 33 lines modified | ||
| 139 | #·BEGIN·fix·(13·/·37)·for·'apt_sources_list_official' | 139 | #·BEGIN·fix·(13·/·37)·for·'apt_sources_list_official' |
| 140 | ############################################################################### | 140 | ############################################################################### |
| 141 | (>&2·echo·"Remediating·rule·13/37:·'apt_sources_list_official'") | 141 | (>&2·echo·"Remediating·rule·13/37:·'apt_sources_list_official'") |
| 142 | #·FIX·FOR·THIS·RULE·IS·MISSING | 142 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 143 | #·END·fix·for·'apt_sources_list_official' | 143 | #·END·fix·for·'apt_sources_list_official' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | #·BEGIN·fix·(14·/·37)·for·'rsyslog_files_ | 145 | #·BEGIN·fix·(14·/·37)·for·'rsyslog_files_permissions' |
| 146 | ############################################################################### | 146 | ############################################################################### |
| 147 | (>&2·echo·"Remediating·rule·14/37:·'rsyslog_files_ | 147 | (>&2·echo·"Remediating·rule·14/37:·'rsyslog_files_permissions'") |
| 148 | #·FIX·FOR·THIS·RULE·IS·MISSING | 148 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 149 | #·END·fix·for·'rsyslog_files_ | 149 | #·END·fix·for·'rsyslog_files_permissions' |
| 150 | ############################################################################### | 150 | ############################################################################### |
| 151 | #·BEGIN·fix·(15·/·37)·for·'rsyslog_files_ownership' | 151 | #·BEGIN·fix·(15·/·37)·for·'rsyslog_files_ownership' |
| 152 | ############################################################################### | 152 | ############################################################################### |
| 153 | (>&2·echo·"Remediating·rule·15/37:·'rsyslog_files_ownership'") | 153 | (>&2·echo·"Remediating·rule·15/37:·'rsyslog_files_ownership'") |
| 154 | #·FIX·FOR·THIS·RULE·IS·MISSING | 154 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 155 | #·END·fix·for·'rsyslog_files_ownership' | 155 | #·END·fix·for·'rsyslog_files_ownership' |
| 156 | ############################################################################### | 156 | ############################################################################### |
| 157 | #·BEGIN·fix·(16·/·37)·for·'rsyslog_files_p | 157 | #·BEGIN·fix·(16·/·37)·for·'rsyslog_files_groupownership' |
| 158 | ############################################################################### | 158 | ############################################################################### |
| 159 | (>&2·echo·"Remediating·rule·16/37:·'rsyslog_files_p | 159 | (>&2·echo·"Remediating·rule·16/37:·'rsyslog_files_groupownership'") |
| 160 | #·FIX·FOR·THIS·RULE·IS·MISSING | 160 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 161 | #·END·fix·for·'rsyslog_files_p | 161 | #·END·fix·for·'rsyslog_files_groupownership' |
| 162 | ############################################################################### | 162 | ############################################################################### |
| 163 | #·BEGIN·fix·(17·/·37)·for·'package_syslogng_installed' | 163 | #·BEGIN·fix·(17·/·37)·for·'package_syslogng_installed' |
| 164 | ############################################################################### | 164 | ############################################################################### |
| 165 | (>&2·echo·"Remediating·rule·17/37:·'package_syslogng_installed'") | 165 | (>&2·echo·"Remediating·rule·17/37:·'package_syslogng_installed'") |
| 166 | #·FIX·FOR·THIS·RULE·IS·MISSING | 166 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 167 | #·END·fix·for·'package_syslogng_installed' | 167 | #·END·fix·for·'package_syslogng_installed' |
| Offset 216, 26 lines modified | Offset 216, 26 lines modified | ||
| 216 | #·BEGIN·fix·(24·/·37)·for·'partition_for_home' | 216 | #·BEGIN·fix·(24·/·37)·for·'partition_for_home' |
| 217 | ############################################################################### | 217 | ############################################################################### |
| 218 | (>&2·echo·"Remediating·rule·24/37:·'partition_for_home'") | 218 | (>&2·echo·"Remediating·rule·24/37:·'partition_for_home'") |
| 219 | #·FIX·FOR·THIS·RULE·IS·MISSING | 219 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 220 | #·END·fix·for·'partition_for_home' | 220 | #·END·fix·for·'partition_for_home' |
| 221 | ############################################################################### | 221 | ############################################################################### |
| 222 | #·BEGIN·fix·(25·/·37)·for·'partition_for_ | 222 | #·BEGIN·fix·(25·/·37)·for·'partition_for_var' |
| 223 | ############################################################################### | 223 | ############################################################################### |
| 224 | (>&2·echo·"Remediating·rule·25/37:·'partition_for_ | 224 | (>&2·echo·"Remediating·rule·25/37:·'partition_for_var'") |
| 225 | #·FIX·FOR·THIS·RULE·IS·MISSING | 225 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 226 | #·END·fix·for·'partition_for_ | 226 | #·END·fix·for·'partition_for_var' |
| 227 | ############################################################################### | 227 | ############################################################################### |
| 228 | #·BEGIN·fix·(26·/·37)·for·'partition_for_ | 228 | #·BEGIN·fix·(26·/·37)·for·'partition_for_tmp' |
| 229 | ############################################################################### | 229 | ############################################################################### |
| 230 | (>&2·echo·"Remediating·rule·26/37:·'partition_for_ | 230 | (>&2·echo·"Remediating·rule·26/37:·'partition_for_tmp'") |
| 231 | #·FIX·FOR·THIS·RULE·IS·MISSING | 231 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 232 | #·END·fix·for·'partition_for_ | 232 | #·END·fix·for·'partition_for_tmp' |
| 233 | ############################################################################### | 233 | ############################################################################### |
| 234 | #·BEGIN·fix·(27·/·37)·for·'partition_for_var_log_audit' | 234 | #·BEGIN·fix·(27·/·37)·for·'partition_for_var_log_audit' |
| 235 | ############################################################################### | 235 | ############################################################################### |
| 236 | (>&2·echo·"Remediating·rule·27/37:·'partition_for_var_log_audit'") | 236 | (>&2·echo·"Remediating·rule·27/37:·'partition_for_var_log_audit'") |
| 237 | #·FIX·FOR·THIS·RULE·IS·MISSING | 237 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 238 | #·END·fix·for·'partition_for_var_log_audit' | 238 | #·END·fix·for·'partition_for_var_log_audit' |
| Offset 83, 26 lines modified | Offset 83, 26 lines modified | ||
| 83 | #» ···remediation·AFTER·testing·on·a·non-production | 83 | #» ···remediation·AFTER·testing·on·a·non-production |
| 84 | #» ···system! | 84 | #» ···system! |
| 85 | apt-get·remove·--purge·telnetd | 85 | apt-get·remove·--purge·telnetd |
| 86 | #·END·fix·for·'package_telnetd_removed' | 86 | #·END·fix·for·'package_telnetd_removed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | #·BEGIN·fix·(6·/·42)·for·'package_ | 88 | #·BEGIN·fix·(6·/·42)·for·'package_ntp_installed' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | (>&2·echo·"Remediating·rule·6/42:·'package_ | 90 | (>&2·echo·"Remediating·rule·6/42:·'package_ntp_installed'") |
| 91 | #·FIX·FOR·THIS·RULE·IS·MISSING | 91 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 92 | #·END·fix·for·'package_ | 92 | #·END·fix·for·'package_ntp_installed' |
| 93 | ############################################################################### | 93 | ############################################################################### |
| 94 | #·BEGIN·fix·(7·/·42)·for·'package_ | 94 | #·BEGIN·fix·(7·/·42)·for·'package_cron_installed' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | (>&2·echo·"Remediating·rule·7/42:·'package_ | 96 | (>&2·echo·"Remediating·rule·7/42:·'package_cron_installed'") |
| 97 | #·FIX·FOR·THIS·RULE·IS·MISSING | 97 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 98 | #·END·fix·for·'package_ | 98 | #·END·fix·for·'package_cron_installed' |
| 99 | ############################################################################### | 99 | ############################################################################### |
| 100 | #·BEGIN·fix·(8·/·42)·for·'package_auditd_installed' | 100 | #·BEGIN·fix·(8·/·42)·for·'package_auditd_installed' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | (>&2·echo·"Remediating·rule·8/42:·'package_auditd_installed'") | 102 | (>&2·echo·"Remediating·rule·8/42:·'package_auditd_installed'") |
| 103 | #·FIX·FOR·THIS·RULE·IS·MISSING | 103 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 104 | #·END·fix·for·'package_auditd_installed' | 104 | #·END·fix·for·'package_auditd_installed' |
| Offset 118, 40 lines modified | Offset 118, 40 lines modified | ||
| 118 | #·BEGIN·fix·(10·/·42)·for·'service_ntp_enabled' | 118 | #·BEGIN·fix·(10·/·42)·for·'service_ntp_enabled' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | (>&2·echo·"Remediating·rule·10/42:·'service_ntp_enabled'") | 120 | (>&2·echo·"Remediating·rule·10/42:·'service_ntp_enabled'") |
| 121 | #·FIX·FOR·THIS·RULE·IS·MISSING | 121 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 122 | #·END·fix·for·'service_ntp_enabled' | 122 | #·END·fix·for·'service_ntp_enabled' |
| 123 | ############################################################################### | 123 | ############################################################################### |
| 124 | #·BEGIN·fix·(11·/·42)·for·'sshd_ | 124 | #·BEGIN·fix·(11·/·42)·for·'sshd_set_idle_timeout' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | (>&2·echo·"Remediating·rule·11/42:·'sshd_ | 126 | (>&2·echo·"Remediating·rule·11/42:·'sshd_set_idle_timeout'") |
| 127 | #·FIX·FOR·THIS·RULE·IS·MISSING | 127 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 128 | #·END·fix·for·'sshd_ | 128 | #·END·fix·for·'sshd_set_idle_timeout' |
| 129 | ############################################################################### | 129 | ############################################################################### |
| 130 | #·BEGIN·fix·(12·/·42)·for·'sshd_ | 130 | #·BEGIN·fix·(12·/·42)·for·'sshd_allow_only_protocol2' |
| 131 | ############################################################################### | 131 | ############################################################################### |
| 132 | (>&2·echo·"Remediating·rule·12/42:·'sshd_ | 132 | (>&2·echo·"Remediating·rule·12/42:·'sshd_allow_only_protocol2'") |
| 133 | #·FIX·FOR·THIS·RULE·IS·MISSING | 133 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 134 | #·END·fix·for·'sshd_ | 134 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | #·BEGIN·fix·(13·/·42)·for·'sshd_set_ | 136 | #·BEGIN·fix·(13·/·42)·for·'sshd_set_keepalive' |
| 137 | ############################################################################### | 137 | ############################################################################### |
| 138 | (>&2·echo·"Remediating·rule·13/42:·'sshd_set_ | 138 | (>&2·echo·"Remediating·rule·13/42:·'sshd_set_keepalive'") |
| 139 | #·FIX·FOR·THIS·RULE·IS·MISSING | 139 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 140 | #·END·fix·for·'sshd_set_ | 140 | #·END·fix·for·'sshd_set_keepalive' |
| 141 | ############################################################################### | 141 | ############################################################################### |
| 142 | #·BEGIN·fix·(14·/·42)·for·'sshd_set_ | 142 | #·BEGIN·fix·(14·/·42)·for·'sshd_disable_empty_passwords' |
| 143 | ############################################################################### | 143 | ############################################################################### |
| 144 | (>&2·echo·"Remediating·rule·14/42:·'sshd_set_ | 144 | (>&2·echo·"Remediating·rule·14/42:·'sshd_disable_empty_passwords'") |
| 145 | #·FIX·FOR·THIS·RULE·IS·MISSING | 145 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 146 | #·END·fix·for·'sshd_set_ | 146 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 147 | ############################################################################### | 147 | ############################################################################### |
| 148 | #·BEGIN·fix·(15·/·42)·for·'sshd_disable_root_login' | 148 | #·BEGIN·fix·(15·/·42)·for·'sshd_disable_root_login' |
| 149 | ############################################################################### | 149 | ############################################################################### |
| 150 | (>&2·echo·"Remediating·rule·15/42:·'sshd_disable_root_login'") | 150 | (>&2·echo·"Remediating·rule·15/42:·'sshd_disable_root_login'") |
| 151 | #·FIX·FOR·THIS·RULE·IS·MISSING | 151 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 152 | #·END·fix·for·'sshd_disable_root_login' | 152 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 167, 33 lines modified | Offset 167, 33 lines modified | ||
| 167 | #·BEGIN·fix·(17·/·42)·for·'apt_sources_list_official' | 167 | #·BEGIN·fix·(17·/·42)·for·'apt_sources_list_official' |
| 168 | ############################################################################### | 168 | ############################################################################### |
| 169 | (>&2·echo·"Remediating·rule·17/42:·'apt_sources_list_official'") | 169 | (>&2·echo·"Remediating·rule·17/42:·'apt_sources_list_official'") |
| 170 | #·FIX·FOR·THIS·RULE·IS·MISSING | 170 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 171 | #·END·fix·for·'apt_sources_list_official' | 171 | #·END·fix·for·'apt_sources_list_official' |
| 172 | ############################################################################### | 172 | ############################################################################### |
| 173 | #·BEGIN·fix·(18·/·42)·for·'rsyslog_files_ | 173 | #·BEGIN·fix·(18·/·42)·for·'rsyslog_files_permissions' |
| 174 | ############################################################################### | 174 | ############################################################################### |
| 175 | (>&2·echo·"Remediating·rule·18/42:·'rsyslog_files_ | 175 | (>&2·echo·"Remediating·rule·18/42:·'rsyslog_files_permissions'") |
| 176 | #·FIX·FOR·THIS·RULE·IS·MISSING | 176 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 177 | #·END·fix·for·'rsyslog_files_ | 177 | #·END·fix·for·'rsyslog_files_permissions' |
| 178 | ############################################################################### | 178 | ############################################################################### |
| 179 | #·BEGIN·fix·(19·/·42)·for·'rsyslog_files_ownership' | 179 | #·BEGIN·fix·(19·/·42)·for·'rsyslog_files_ownership' |
| 180 | ############################################################################### | 180 | ############################################################################### |
| 181 | (>&2·echo·"Remediating·rule·19/42:·'rsyslog_files_ownership'") | 181 | (>&2·echo·"Remediating·rule·19/42:·'rsyslog_files_ownership'") |
| 182 | #·FIX·FOR·THIS·RULE·IS·MISSING | 182 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 183 | #·END·fix·for·'rsyslog_files_ownership' | 183 | #·END·fix·for·'rsyslog_files_ownership' |
| 184 | ############################################################################### | 184 | ############################################################################### |
| 185 | #·BEGIN·fix·(20·/·42)·for·'rsyslog_files_p | 185 | #·BEGIN·fix·(20·/·42)·for·'rsyslog_files_groupownership' |
| 186 | ############################################################################### | 186 | ############################################################################### |
| 187 | (>&2·echo·"Remediating·rule·20/42:·'rsyslog_files_p | 187 | (>&2·echo·"Remediating·rule·20/42:·'rsyslog_files_groupownership'") |
| 188 | #·FIX·FOR·THIS·RULE·IS·MISSING | 188 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 189 | #·END·fix·for·'rsyslog_files_p | 189 | #·END·fix·for·'rsyslog_files_groupownership' |
| 190 | ############################################################################### | 190 | ############################################################################### |
| 191 | #·BEGIN·fix·(21·/·42)·for·'package_syslogng_installed' | 191 | #·BEGIN·fix·(21·/·42)·for·'package_syslogng_installed' |
| 192 | ############################################################################### | 192 | ############################################################################### |
| 193 | (>&2·echo·"Remediating·rule·21/42:·'package_syslogng_installed'") | 193 | (>&2·echo·"Remediating·rule·21/42:·'package_syslogng_installed'") |
| 194 | #·FIX·FOR·THIS·RULE·IS·MISSING | 194 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 195 | #·END·fix·for·'package_syslogng_installed' | 195 | #·END·fix·for·'package_syslogng_installed' |
| Offset 244, 26 lines modified | Offset 244, 26 lines modified | ||
| 244 | #·BEGIN·fix·(28·/·42)·for·'partition_for_home' | 244 | #·BEGIN·fix·(28·/·42)·for·'partition_for_home' |
| 245 | ############################################################################### | 245 | ############################################################################### |
| 246 | (>&2·echo·"Remediating·rule·28/42:·'partition_for_home'") | 246 | (>&2·echo·"Remediating·rule·28/42:·'partition_for_home'") |
| 247 | #·FIX·FOR·THIS·RULE·IS·MISSING | 247 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 248 | #·END·fix·for·'partition_for_home' | 248 | #·END·fix·for·'partition_for_home' |
| 249 | ############################################################################### | 249 | ############################################################################### |
| 250 | #·BEGIN·fix·(29·/·42)·for·'partition_for_ | 250 | #·BEGIN·fix·(29·/·42)·for·'partition_for_var' |
| 251 | ############################################################################### | 251 | ############################################################################### |
| 252 | (>&2·echo·"Remediating·rule·29/42:·'partition_for_ | 252 | (>&2·echo·"Remediating·rule·29/42:·'partition_for_var'") |
| 253 | #·FIX·FOR·THIS·RULE·IS·MISSING | 253 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 254 | #·END·fix·for·'partition_for_ | 254 | #·END·fix·for·'partition_for_var' |
| 255 | ############################################################################### | 255 | ############################################################################### |
| 256 | #·BEGIN·fix·(30·/·42)·for·'partition_for_ | 256 | #·BEGIN·fix·(30·/·42)·for·'partition_for_tmp' |
| 257 | ############################################################################### | 257 | ############################################################################### |
| 258 | (>&2·echo·"Remediating·rule·30/42:·'partition_for_ | 258 | (>&2·echo·"Remediating·rule·30/42:·'partition_for_tmp'") |
| 259 | #·FIX·FOR·THIS·RULE·IS·MISSING | 259 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 260 | #·END·fix·for·'partition_for_ | 260 | #·END·fix·for·'partition_for_tmp' |
| 261 | ############################################################################### | 261 | ############################################################################### |
| 262 | #·BEGIN·fix·(31·/·42)·for·'partition_for_var_log_audit' | 262 | #·BEGIN·fix·(31·/·42)·for·'partition_for_var_log_audit' |
| 263 | ############################################################################### | 263 | ############################################################################### |
| 264 | (>&2·echo·"Remediating·rule·31/42:·'partition_for_var_log_audit'") | 264 | (>&2·echo·"Remediating·rule·31/42:·'partition_for_var_log_audit'") |
| 265 | #·FIX·FOR·THIS·RULE·IS·MISSING | 265 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| Max diff block lines reached; 0/7875 bytes (0.00%) of diff not shown. | |||
| Offset 83, 26 lines modified | Offset 83, 26 lines modified | ||
| 83 | #» ···remediation·AFTER·testing·on·a·non-production | 83 | #» ···remediation·AFTER·testing·on·a·non-production |
| 84 | #» ···system! | 84 | #» ···system! |
| 85 | apt-get·remove·--purge·telnetd | 85 | apt-get·remove·--purge·telnetd |
| 86 | #·END·fix·for·'package_telnetd_removed' | 86 | #·END·fix·for·'package_telnetd_removed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | #·BEGIN·fix·(6·/·41)·for·'package_ | 88 | #·BEGIN·fix·(6·/·41)·for·'package_ntp_installed' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | (>&2·echo·"Remediating·rule·6/41:·'package_ | 90 | (>&2·echo·"Remediating·rule·6/41:·'package_ntp_installed'") |
| 91 | #·FIX·FOR·THIS·RULE·IS·MISSING | 91 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 92 | #·END·fix·for·'package_ | 92 | #·END·fix·for·'package_ntp_installed' |
| 93 | ############################################################################### | 93 | ############################################################################### |
| 94 | #·BEGIN·fix·(7·/·41)·for·'package_ | 94 | #·BEGIN·fix·(7·/·41)·for·'package_cron_installed' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | (>&2·echo·"Remediating·rule·7/41:·'package_ | 96 | (>&2·echo·"Remediating·rule·7/41:·'package_cron_installed'") |
| 97 | #·FIX·FOR·THIS·RULE·IS·MISSING | 97 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 98 | #·END·fix·for·'package_ | 98 | #·END·fix·for·'package_cron_installed' |
| 99 | ############################################################################### | 99 | ############################################################################### |
| 100 | #·BEGIN·fix·(8·/·41)·for·'package_auditd_installed' | 100 | #·BEGIN·fix·(8·/·41)·for·'package_auditd_installed' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | (>&2·echo·"Remediating·rule·8/41:·'package_auditd_installed'") | 102 | (>&2·echo·"Remediating·rule·8/41:·'package_auditd_installed'") |
| 103 | #·FIX·FOR·THIS·RULE·IS·MISSING | 103 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 104 | #·END·fix·for·'package_auditd_installed' | 104 | #·END·fix·for·'package_auditd_installed' |
| Offset 118, 40 lines modified | Offset 118, 40 lines modified | ||
| 118 | #·BEGIN·fix·(10·/·41)·for·'service_ntp_enabled' | 118 | #·BEGIN·fix·(10·/·41)·for·'service_ntp_enabled' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | (>&2·echo·"Remediating·rule·10/41:·'service_ntp_enabled'") | 120 | (>&2·echo·"Remediating·rule·10/41:·'service_ntp_enabled'") |
| 121 | #·FIX·FOR·THIS·RULE·IS·MISSING | 121 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 122 | #·END·fix·for·'service_ntp_enabled' | 122 | #·END·fix·for·'service_ntp_enabled' |
| 123 | ############################################################################### | 123 | ############################################################################### |
| 124 | #·BEGIN·fix·(11·/·41)·for·'sshd_ | 124 | #·BEGIN·fix·(11·/·41)·for·'sshd_set_idle_timeout' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | (>&2·echo·"Remediating·rule·11/41:·'sshd_ | 126 | (>&2·echo·"Remediating·rule·11/41:·'sshd_set_idle_timeout'") |
| 127 | #·FIX·FOR·THIS·RULE·IS·MISSING | 127 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 128 | #·END·fix·for·'sshd_ | 128 | #·END·fix·for·'sshd_set_idle_timeout' |
| 129 | ############################################################################### | 129 | ############################################################################### |
| 130 | #·BEGIN·fix·(12·/·41)·for·'sshd_ | 130 | #·BEGIN·fix·(12·/·41)·for·'sshd_allow_only_protocol2' |
| 131 | ############################################################################### | 131 | ############################################################################### |
| 132 | (>&2·echo·"Remediating·rule·12/41:·'sshd_ | 132 | (>&2·echo·"Remediating·rule·12/41:·'sshd_allow_only_protocol2'") |
| 133 | #·FIX·FOR·THIS·RULE·IS·MISSING | 133 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 134 | #·END·fix·for·'sshd_ | 134 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | #·BEGIN·fix·(13·/·41)·for·'sshd_set_ | 136 | #·BEGIN·fix·(13·/·41)·for·'sshd_set_keepalive' |
| 137 | ############################################################################### | 137 | ############################################################################### |
| 138 | (>&2·echo·"Remediating·rule·13/41:·'sshd_set_ | 138 | (>&2·echo·"Remediating·rule·13/41:·'sshd_set_keepalive'") |
| 139 | #·FIX·FOR·THIS·RULE·IS·MISSING | 139 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 140 | #·END·fix·for·'sshd_set_ | 140 | #·END·fix·for·'sshd_set_keepalive' |
| 141 | ############################################################################### | 141 | ############################################################################### |
| 142 | #·BEGIN·fix·(14·/·41)·for·'sshd_set_ | 142 | #·BEGIN·fix·(14·/·41)·for·'sshd_disable_empty_passwords' |
| 143 | ############################################################################### | 143 | ############################################################################### |
| 144 | (>&2·echo·"Remediating·rule·14/41:·'sshd_set_ | 144 | (>&2·echo·"Remediating·rule·14/41:·'sshd_disable_empty_passwords'") |
| 145 | #·FIX·FOR·THIS·RULE·IS·MISSING | 145 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 146 | #·END·fix·for·'sshd_set_ | 146 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 147 | ############################################################################### | 147 | ############################################################################### |
| 148 | #·BEGIN·fix·(15·/·41)·for·'sshd_disable_root_login' | 148 | #·BEGIN·fix·(15·/·41)·for·'sshd_disable_root_login' |
| 149 | ############################################################################### | 149 | ############################################################################### |
| 150 | (>&2·echo·"Remediating·rule·15/41:·'sshd_disable_root_login'") | 150 | (>&2·echo·"Remediating·rule·15/41:·'sshd_disable_root_login'") |
| 151 | #·FIX·FOR·THIS·RULE·IS·MISSING | 151 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 152 | #·END·fix·for·'sshd_disable_root_login' | 152 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 167, 33 lines modified | Offset 167, 33 lines modified | ||
| 167 | #·BEGIN·fix·(17·/·41)·for·'apt_sources_list_official' | 167 | #·BEGIN·fix·(17·/·41)·for·'apt_sources_list_official' |
| 168 | ############################################################################### | 168 | ############################################################################### |
| 169 | (>&2·echo·"Remediating·rule·17/41:·'apt_sources_list_official'") | 169 | (>&2·echo·"Remediating·rule·17/41:·'apt_sources_list_official'") |
| 170 | #·FIX·FOR·THIS·RULE·IS·MISSING | 170 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 171 | #·END·fix·for·'apt_sources_list_official' | 171 | #·END·fix·for·'apt_sources_list_official' |
| 172 | ############################################################################### | 172 | ############################################################################### |
| 173 | #·BEGIN·fix·(18·/·41)·for·'rsyslog_files_ | 173 | #·BEGIN·fix·(18·/·41)·for·'rsyslog_files_permissions' |
| 174 | ############################################################################### | 174 | ############################################################################### |
| 175 | (>&2·echo·"Remediating·rule·18/41:·'rsyslog_files_ | 175 | (>&2·echo·"Remediating·rule·18/41:·'rsyslog_files_permissions'") |
| 176 | #·FIX·FOR·THIS·RULE·IS·MISSING | 176 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 177 | #·END·fix·for·'rsyslog_files_ | 177 | #·END·fix·for·'rsyslog_files_permissions' |
| 178 | ############################################################################### | 178 | ############################################################################### |
| 179 | #·BEGIN·fix·(19·/·41)·for·'rsyslog_files_ownership' | 179 | #·BEGIN·fix·(19·/·41)·for·'rsyslog_files_ownership' |
| 180 | ############################################################################### | 180 | ############################################################################### |
| 181 | (>&2·echo·"Remediating·rule·19/41:·'rsyslog_files_ownership'") | 181 | (>&2·echo·"Remediating·rule·19/41:·'rsyslog_files_ownership'") |
| 182 | #·FIX·FOR·THIS·RULE·IS·MISSING | 182 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 183 | #·END·fix·for·'rsyslog_files_ownership' | 183 | #·END·fix·for·'rsyslog_files_ownership' |
| 184 | ############################################################################### | 184 | ############################################################################### |
| 185 | #·BEGIN·fix·(20·/·41)·for·'rsyslog_files_p | 185 | #·BEGIN·fix·(20·/·41)·for·'rsyslog_files_groupownership' |
| 186 | ############################################################################### | 186 | ############################################################################### |
| 187 | (>&2·echo·"Remediating·rule·20/41:·'rsyslog_files_p | 187 | (>&2·echo·"Remediating·rule·20/41:·'rsyslog_files_groupownership'") |
| 188 | #·FIX·FOR·THIS·RULE·IS·MISSING | 188 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 189 | #·END·fix·for·'rsyslog_files_p | 189 | #·END·fix·for·'rsyslog_files_groupownership' |
| 190 | ############################################################################### | 190 | ############################################################################### |
| 191 | #·BEGIN·fix·(21·/·41)·for·'package_syslogng_installed' | 191 | #·BEGIN·fix·(21·/·41)·for·'package_syslogng_installed' |
| 192 | ############################################################################### | 192 | ############################################################################### |
| 193 | (>&2·echo·"Remediating·rule·21/41:·'package_syslogng_installed'") | 193 | (>&2·echo·"Remediating·rule·21/41:·'package_syslogng_installed'") |
| 194 | #·FIX·FOR·THIS·RULE·IS·MISSING | 194 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 195 | #·END·fix·for·'package_syslogng_installed' | 195 | #·END·fix·for·'package_syslogng_installed' |
| Offset 244, 26 lines modified | Offset 244, 26 lines modified | ||
| 244 | #·BEGIN·fix·(28·/·41)·for·'partition_for_home' | 244 | #·BEGIN·fix·(28·/·41)·for·'partition_for_home' |
| 245 | ############################################################################### | 245 | ############################################################################### |
| 246 | (>&2·echo·"Remediating·rule·28/41:·'partition_for_home'") | 246 | (>&2·echo·"Remediating·rule·28/41:·'partition_for_home'") |
| 247 | #·FIX·FOR·THIS·RULE·IS·MISSING | 247 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 248 | #·END·fix·for·'partition_for_home' | 248 | #·END·fix·for·'partition_for_home' |
| 249 | ############################################################################### | 249 | ############################################################################### |
| 250 | #·BEGIN·fix·(29·/·41)·for·'partition_for_ | 250 | #·BEGIN·fix·(29·/·41)·for·'partition_for_var' |
| 251 | ############################################################################### | 251 | ############################################################################### |
| 252 | (>&2·echo·"Remediating·rule·29/41:·'partition_for_ | 252 | (>&2·echo·"Remediating·rule·29/41:·'partition_for_var'") |
| 253 | #·FIX·FOR·THIS·RULE·IS·MISSING | 253 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 254 | #·END·fix·for·'partition_for_ | 254 | #·END·fix·for·'partition_for_var' |
| 255 | ############################################################################### | 255 | ############################################################################### |
| 256 | #·BEGIN·fix·(30·/·41)·for·'partition_for_ | 256 | #·BEGIN·fix·(30·/·41)·for·'partition_for_tmp' |
| 257 | ############################################################################### | 257 | ############################################################################### |
| 258 | (>&2·echo·"Remediating·rule·30/41:·'partition_for_ | 258 | (>&2·echo·"Remediating·rule·30/41:·'partition_for_tmp'") |
| 259 | #·FIX·FOR·THIS·RULE·IS·MISSING | 259 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 260 | #·END·fix·for·'partition_for_ | 260 | #·END·fix·for·'partition_for_tmp' |
| 261 | ############################################################################### | 261 | ############################################################################### |
| 262 | #·BEGIN·fix·(31·/·41)·for·'partition_for_var_log_audit' | 262 | #·BEGIN·fix·(31·/·41)·for·'partition_for_var_log_audit' |
| 263 | ############################################################################### | 263 | ############################################################################### |
| 264 | (>&2·echo·"Remediating·rule·31/41:·'partition_for_var_log_audit'") | 264 | (>&2·echo·"Remediating·rule·31/41:·'partition_for_var_log_audit'") |
| 265 | #·FIX·FOR·THIS·RULE·IS·MISSING | 265 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| Max diff block lines reached; 0/7875 bytes (0.00%) of diff not shown. | |||
| Offset 85, 33 lines modified | Offset 85, 33 lines modified | ||
| 85 | #» ···remediation·AFTER·testing·on·a·non-production | 85 | #» ···remediation·AFTER·testing·on·a·non-production |
| 86 | #» ···system! | 86 | #» ···system! |
| 87 | apt-get·remove·--purge·telnetd | 87 | apt-get·remove·--purge·telnetd |
| 88 | #·END·fix·for·'package_telnetd_removed' | 88 | #·END·fix·for·'package_telnetd_removed' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | #·BEGIN·fix·(6·/·36)·for·' | 90 | #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled' |
| 91 | ############################################################################### | 91 | ############################################################################### |
| 92 | (>&2·echo·"Remediating·rule·6/36:·' | 92 | (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'") |
| 93 | #·FIX·FOR·THIS·RULE·IS·MISSING | 93 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 94 | #·END·fix·for·' | 94 | #·END·fix·for·'service_cron_enabled' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | #·BEGIN·fix·(7·/·36)·for·'package_ntp_installed' | 96 | #·BEGIN·fix·(7·/·36)·for·'package_ntp_installed' |
| 97 | ############################################################################### | 97 | ############################################################################### |
| 98 | (>&2·echo·"Remediating·rule·7/36:·'package_ntp_installed'") | 98 | (>&2·echo·"Remediating·rule·7/36:·'package_ntp_installed'") |
| 99 | #·FIX·FOR·THIS·RULE·IS·MISSING | 99 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 100 | #·END·fix·for·'package_ntp_installed' | 100 | #·END·fix·for·'package_ntp_installed' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | #·BEGIN·fix·(8·/·36)·for·' | 102 | #·BEGIN·fix·(8·/·36)·for·'package_cron_installed' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule·8/36:·' | 104 | (>&2·echo·"Remediating·rule·8/36:·'package_cron_installed'") |
| 105 | #·FIX·FOR·THIS·RULE·IS·MISSING | 105 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 106 | #·END·fix·for·' | 106 | #·END·fix·for·'package_cron_installed' |
| 107 | ############################################################################### | 107 | ############################################################################### |
| 108 | #·BEGIN·fix·(9·/·36)·for·'package_auditd_installed' | 108 | #·BEGIN·fix·(9·/·36)·for·'package_auditd_installed' |
| 109 | ############################################################################### | 109 | ############################################################################### |
| 110 | (>&2·echo·"Remediating·rule·9/36:·'package_auditd_installed'") | 110 | (>&2·echo·"Remediating·rule·9/36:·'package_auditd_installed'") |
| 111 | #·FIX·FOR·THIS·RULE·IS·MISSING | 111 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 112 | #·END·fix·for·'package_auditd_installed' | 112 | #·END·fix·for·'package_auditd_installed' |
| Offset 127, 68 lines modified | Offset 127, 68 lines modified | ||
| 127 | #·BEGIN·fix·(11·/·36)·for·'service_ntp_enabled' | 127 | #·BEGIN·fix·(11·/·36)·for·'service_ntp_enabled' |
| 128 | ############################################################################### | 128 | ############################################################################### |
| 129 | (>&2·echo·"Remediating·rule·11/36:·'service_ntp_enabled'") | 129 | (>&2·echo·"Remediating·rule·11/36:·'service_ntp_enabled'") |
| 130 | #·FIX·FOR·THIS·RULE·IS·MISSING | 130 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 131 | #·END·fix·for·'service_ntp_enabled' | 131 | #·END·fix·for·'service_ntp_enabled' |
| 132 | ############################################################################### | 132 | ############################################################################### |
| 133 | #·BEGIN·fix·(12·/·36)·for·'sshd_ | 133 | #·BEGIN·fix·(12·/·36)·for·'sshd_set_idle_timeout' |
| 134 | ############################################################################### | 134 | ############################################################################### |
| 135 | (>&2·echo·"Remediating·rule·12/36:·'sshd_ | 135 | (>&2·echo·"Remediating·rule·12/36:·'sshd_set_idle_timeout'") |
| 136 | #·FIX·FOR·THIS·RULE·IS·MISSING | 136 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 137 | #·END·fix·for·'sshd_ | 137 | #·END·fix·for·'sshd_set_idle_timeout' |
| 138 | ############################################################################### | 138 | ############################################################################### |
| 139 | #·BEGIN·fix·(13·/·36)·for·'sshd_ | 139 | #·BEGIN·fix·(13·/·36)·for·'sshd_allow_only_protocol2' |
| 140 | ############################################################################### | 140 | ############################################################################### |
| 141 | (>&2·echo·"Remediating·rule·13/36:·'sshd_ | 141 | (>&2·echo·"Remediating·rule·13/36:·'sshd_allow_only_protocol2'") |
| 142 | #·FIX·FOR·THIS·RULE·IS·MISSING | 142 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 143 | #·END·fix·for·'sshd_ | 143 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_ | 145 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_keepalive' |
| 146 | ############################################################################### | 146 | ############################################################################### |
| 147 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_ | 147 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_keepalive'") |
| 148 | #·FIX·FOR·THIS·RULE·IS·MISSING | 148 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 149 | #·END·fix·for·'sshd_set_ | 149 | #·END·fix·for·'sshd_set_keepalive' |
| 150 | ############################################################################### | 150 | ############################################################################### |
| 151 | #·BEGIN·fix·(15·/·36)·for·'sshd_set_ | 151 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_empty_passwords' |
| 152 | ############################################################################### | 152 | ############################################################################### |
| 153 | (>&2·echo·"Remediating·rule·15/36:·'sshd_set_ | 153 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_empty_passwords'") |
| 154 | #·FIX·FOR·THIS·RULE·IS·MISSING | 154 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 155 | #·END·fix·for·'sshd_set_ | 155 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 156 | ############################################################################### | 156 | ############################################################################### |
| 157 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' | 157 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' |
| 158 | ############################################################################### | 158 | ############################################################################### |
| 159 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") | 159 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") |
| 160 | #·FIX·FOR·THIS·RULE·IS·MISSING | 160 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 161 | #·END·fix·for·'sshd_disable_root_login' | 161 | #·END·fix·for·'sshd_disable_root_login' |
| 162 | ############################################################################### | 162 | ############################################################################### |
| 163 | #·BEGIN·fix·(17·/·36)·for·'rsyslog_files_ | 163 | #·BEGIN·fix·(17·/·36)·for·'rsyslog_files_permissions' |
| 164 | ############################################################################### | 164 | ############################################################################### |
| 165 | (>&2·echo·"Remediating·rule·17/36:·'rsyslog_files_ | 165 | (>&2·echo·"Remediating·rule·17/36:·'rsyslog_files_permissions'") |
| 166 | #·FIX·FOR·THIS·RULE·IS·MISSING | 166 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 167 | #·END·fix·for·'rsyslog_files_ | 167 | #·END·fix·for·'rsyslog_files_permissions' |
| 168 | ############################################################################### | 168 | ############################################################################### |
| 169 | #·BEGIN·fix·(18·/·36)·for·'rsyslog_files_ownership' | 169 | #·BEGIN·fix·(18·/·36)·for·'rsyslog_files_ownership' |
| 170 | ############################################################################### | 170 | ############################################################################### |
| 171 | (>&2·echo·"Remediating·rule·18/36:·'rsyslog_files_ownership'") | 171 | (>&2·echo·"Remediating·rule·18/36:·'rsyslog_files_ownership'") |
| 172 | #·FIX·FOR·THIS·RULE·IS·MISSING | 172 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 173 | #·END·fix·for·'rsyslog_files_ownership' | 173 | #·END·fix·for·'rsyslog_files_ownership' |
| 174 | ############################################################################### | 174 | ############################################################################### |
| 175 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_p | 175 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_groupownership' |
| 176 | ############################################################################### | 176 | ############################################################################### |
| 177 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_p | 177 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_groupownership'") |
| 178 | #·FIX·FOR·THIS·RULE·IS·MISSING | 178 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 179 | #·END·fix·for·'rsyslog_files_p | 179 | #·END·fix·for·'rsyslog_files_groupownership' |
| 180 | ############################################################################### | 180 | ############################################################################### |
| 181 | #·BEGIN·fix·(20·/·36)·for·'ensure_logrotate_activated' | 181 | #·BEGIN·fix·(20·/·36)·for·'ensure_logrotate_activated' |
| 182 | ############################################################################### | 182 | ############################################################################### |
| 183 | (>&2·echo·"Remediating·rule·20/36:·'ensure_logrotate_activated'") | 183 | (>&2·echo·"Remediating·rule·20/36:·'ensure_logrotate_activated'") |
| 184 | #·FIX·FOR·THIS·RULE·IS·MISSING | 184 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 185 | #·END·fix·for·'ensure_logrotate_activated' | 185 | #·END·fix·for·'ensure_logrotate_activated' |
| Offset 211, 26 lines modified | Offset 211, 26 lines modified | ||
| 211 | #·BEGIN·fix·(23·/·36)·for·'partition_for_home' | 211 | #·BEGIN·fix·(23·/·36)·for·'partition_for_home' |
| 212 | ############################################################################### | 212 | ############################################################################### |
| 213 | (>&2·echo·"Remediating·rule·23/36:·'partition_for_home'") | 213 | (>&2·echo·"Remediating·rule·23/36:·'partition_for_home'") |
| 214 | #·FIX·FOR·THIS·RULE·IS·MISSING | 214 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 215 | #·END·fix·for·'partition_for_home' | 215 | #·END·fix·for·'partition_for_home' |
| 216 | ############################################################################### | 216 | ############################################################################### |
| 217 | #·BEGIN·fix·(24·/·36)·for·'partition_for_ | 217 | #·BEGIN·fix·(24·/·36)·for·'partition_for_var' |
| 218 | ############################################################################### | 218 | ############################################################################### |
| 219 | (>&2·echo·"Remediating·rule·24/36:·'partition_for_ | 219 | (>&2·echo·"Remediating·rule·24/36:·'partition_for_var'") |
| 220 | #·FIX·FOR·THIS·RULE·IS·MISSING | 220 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 221 | #·END·fix·for·'partition_for_ | 221 | #·END·fix·for·'partition_for_var' |
| 222 | ############################################################################### | 222 | ############################################################################### |
| 223 | #·BEGIN·fix·(25·/·36)·for·'partition_for_ | 223 | #·BEGIN·fix·(25·/·36)·for·'partition_for_tmp' |
| 224 | ############################################################################### | 224 | ############################################################################### |
| 225 | (>&2·echo·"Remediating·rule·25/36:·'partition_for_ | 225 | (>&2·echo·"Remediating·rule·25/36:·'partition_for_tmp'") |
| 226 | #·FIX·FOR·THIS·RULE·IS·MISSING | 226 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 227 | #·END·fix·for·'partition_for_ | 227 | #·END·fix·for·'partition_for_tmp' |
| 228 | ############################################################################### | 228 | ############################################################################### |
| 229 | #·BEGIN·fix·(26·/·36)·for·'partition_for_var_log_audit' | 229 | #·BEGIN·fix·(26·/·36)·for·'partition_for_var_log_audit' |
| 230 | ############################################################################### | 230 | ############################################################################### |
| 231 | (>&2·echo·"Remediating·rule·26/36:·'partition_for_var_log_audit'") | 231 | (>&2·echo·"Remediating·rule·26/36:·'partition_for_var_log_audit'") |
| Max diff block lines reached; 45/7916 bytes (0.57%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:26</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_debian8:def:1"·version="3"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_debian8:def:1"·version="3"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Debian·8</ns0:title> | 12 | ········<ns0:title>Debian·8</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Debian·8</ns0:platform> | 14 | ··········<ns0:platform>Debian·8</ns0:platform> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-oval.xml"·timestamp="202 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-oval.xml"·timestamp="2020-04-28T11:48:12"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>202 | 31 | ········<ns2:timestamp>2020-04-27T21:33:26</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> | 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> | 36 | ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> |
| 37 | ············<ns0:affected·family="unix"> | 37 | ············<ns0:affected·family="unix"> |
| 38 | ··············<ns0:platform>Debian·8</ns0:platform> | 38 | ··············<ns0:platform>Debian·8</ns0:platform> |
| Offset 5573, 15 lines modified | Offset 5573, 15 lines modified | ||
| 5573 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> | 5573 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> |
| 5574 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> | 5574 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> |
| 5575 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> | 5575 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> |
| 5576 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> | 5576 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> |
| 5577 | ······</ns0:variables> | 5577 | ······</ns0:variables> |
| 5578 | ····</ns0:oval_definitions> | 5578 | ····</ns0:oval_definitions> |
| 5579 | ··</ds:component> | 5579 | ··</ds:component> |
| 5580 | ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-ocil.xml"·timestamp="202 | 5580 | ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-ocil.xml"·timestamp="2020-04-28T11:48:11"> |
| 5581 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 5581 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 5582 | ······<ns0:generator> | 5582 | ······<ns0:generator> |
| 5583 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 5583 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5584 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5584 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 5585 | ········<ns0:schema_version>2.0</ns0:schema_version> | 5585 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 5586 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 5586 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 5587 | ······</ns0:generator> | 5587 | ······</ns0:generator> |
| Offset 5594, 66 lines modified | Offset 5594, 66 lines modified | ||
| 5594 | ········</ns0:questionnaire> | 5594 | ········</ns0:questionnaire> |
| 5595 | ········<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1"> | 5595 | ········<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1"> |
| 5596 | ··········<ns0:title>Enable·the·ntpd·service</ns0:title> | 5596 | ··········<ns0:title>Enable·the·ntpd·service</ns0:title> |
| 5597 | ··········<ns0:actions> | 5597 | ··········<ns0:actions> |
| 5598 | ············<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref> | 5598 | ············<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref> |
| 5599 | ··········</ns0:actions> | 5599 | ··········</ns0:actions> |
| 5600 | ········</ns0:questionnaire> | 5600 | ········</ns0:questionnaire> |
| 5601 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | ||
| 5602 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | ||
| 5603 | ··········<ns0:actions> | ||
| 5604 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | ||
| 5605 | ··········</ns0:actions> | ||
| 5606 | ········</ns0:questionnaire> | ||
| 5607 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> | ||
| 5608 | ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> | ||
| 5609 | ··········<ns0:actions> | ||
| 5610 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> | ||
| 5611 | ··········</ns0:actions> | ||
| 5612 | ········</ns0:questionnaire> | ||
| 5613 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 5601 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 5614 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 5602 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 5615 | ··········<ns0:actions> | 5603 | ··········<ns0:actions> |
| 5616 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 5604 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 5617 | ··········</ns0:actions> | 5605 | ··········</ns0:actions> |
| 5618 | ········</ns0:questionnaire> | 5606 | ········</ns0:questionnaire> |
| 5607 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | ||
| 5608 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | ||
| 5609 | ··········<ns0:actions> | ||
| 5610 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | ||
| 5611 | ··········</ns0:actions> | ||
| 5612 | ········</ns0:questionnaire> | ||
| 5619 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> | 5613 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 5620 | ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> | 5614 | ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 5621 | ··········<ns0:actions> | 5615 | ··········<ns0:actions> |
| 5622 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> | 5616 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 5623 | ··········</ns0:actions> | 5617 | ··········</ns0:actions> |
| 5624 | ········</ns0:questionnaire> | 5618 | ········</ns0:questionnaire> |
| 5619 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> | ||
| 5620 | ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> | ||
| 5621 | ··········<ns0:actions> | ||
| 5622 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> | ||
| 5623 | ··········</ns0:actions> | ||
| 5624 | ········</ns0:questionnaire> | ||
| 5625 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> | 5625 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 5626 | ··········<ns0:title>Disable·SSH·Root·Login</ns0:title> | 5626 | ··········<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 5627 | ··········<ns0:actions> | 5627 | ··········<ns0:actions> |
| 5628 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> | 5628 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 5629 | ··········</ns0:actions> | 5629 | ··········</ns0:actions> |
| 5630 | ········</ns0:questionnaire> | 5630 | ········</ns0:questionnaire> |
| 5631 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> | 5631 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> |
| 5632 | ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> | 5632 | ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> |
| 5633 | ··········<ns0:actions> | 5633 | ··········<ns0:actions> |
| 5634 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> | 5634 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> |
| 5635 | ··········</ns0:actions> | 5635 | ··········</ns0:actions> |
| 5636 | ········</ns0:questionnaire> | 5636 | ········</ns0:questionnaire> |
| 5637 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ | 5637 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> |
| 5638 | ··········<ns0:title>Ensure·Log·Files· | 5638 | ··········<ns0:title>Ensure·System·Log·Files·Have·Correct·Permissions</ns0:title> |
| 5639 | ··········<ns0:actions> | 5639 | ··········<ns0:actions> |
| 5640 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_ | 5640 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_permissions_action:testaction:1</ns0:test_action_ref> |
| 5641 | ··········</ns0:actions> | 5641 | ··········</ns0:actions> |
| 5642 | ········</ns0:questionnaire> | 5642 | ········</ns0:questionnaire> |
| 5643 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> | 5643 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> |
| 5644 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> | 5644 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> |
| 5645 | ··········<ns0:actions> | 5645 | ··········<ns0:actions> |
| 5646 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> | 5646 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> |
| 5647 | ··········</ns0:actions> | 5647 | ··········</ns0:actions> |
| 5648 | ········</ns0:questionnaire> | 5648 | ········</ns0:questionnaire> |
| 5649 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_p | 5649 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 5650 | ··········<ns0:title>Ensure· | 5650 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 5651 | ··········<ns0:actions> | 5651 | ··········<ns0:actions> |
| 5652 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_p | 5652 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 5653 | ··········</ns0:actions> | 5653 | ··········</ns0:actions> |
| 5654 | ········</ns0:questionnaire> | 5654 | ········</ns0:questionnaire> |
| 5655 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | 5655 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> |
| 5656 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | 5656 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> |
| 5657 | ··········<ns0:actions> | 5657 | ··········<ns0:actions> |
| 5658 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | 5658 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> |
| 5659 | ··········</ns0:actions> | 5659 | ··········</ns0:actions> |
| Offset 5702, 26 lines modified | Offset 5702, 26 lines modified | ||
| 5702 | ········</ns0:questionnaire> | 5702 | ········</ns0:questionnaire> |
| 5703 | ········<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> | 5703 | ········<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> |
| 5704 | ··········<ns0:title>Ensure·/home·Located·On·Separate·Partition</ns0:title> | 5704 | ··········<ns0:title>Ensure·/home·Located·On·Separate·Partition</ns0:title> |
| 5705 | ··········<ns0:actions> | 5705 | ··········<ns0:actions> |
| 5706 | ············<ns0:test_action_ref>ocil:ssg-partition_for_home_action:testaction:1</ns0:test_action_ref> | 5706 | ············<ns0:test_action_ref>ocil:ssg-partition_for_home_action:testaction:1</ns0:test_action_ref> |
| 5707 | ··········</ns0:actions> | 5707 | ··········</ns0:actions> |
| 5708 | ········</ns0:questionnaire> | 5708 | ········</ns0:questionnaire> |
| 5709 | ········<ns0:questionnaire·id="ocil:ssg-partition_for_tmp_ocil:questionnaire:1"> | ||
| 5710 | ··········<ns0:title>Ensure·/tmp·Located·On·Separate·Partition</ns0:title> | ||
| 5711 | ··········<ns0:actions> | ||
| Max diff block lines reached; 145693/155236 bytes (93.85%) of diff not shown. | |||
| Offset 15, 66 lines modified | Offset 15, 66 lines modified | ||
| 15 | ····</ns0:questionnaire> | 15 | ····</ns0:questionnaire> |
| 16 | ····<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1"> | 16 | ····<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1"> |
| 17 | ······<ns0:title>Enable·the·ntpd·service</ns0:title> | 17 | ······<ns0:title>Enable·the·ntpd·service</ns0:title> |
| 18 | ······<ns0:actions> | 18 | ······<ns0:actions> |
| 19 | ········<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref> | 19 | ········<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref> |
| 20 | ······</ns0:actions> | 20 | ······</ns0:actions> |
| 21 | ····</ns0:questionnaire> | 21 | ····</ns0:questionnaire> |
| 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | ||
| 23 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | ||
| 24 | ······<ns0:actions> | ||
| 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | ||
| 26 | ······</ns0:actions> | ||
| 27 | ····</ns0:questionnaire> | ||
| 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> | ||
| 29 | ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> | ||
| 30 | ······<ns0:actions> | ||
| 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> | ||
| 32 | ······</ns0:actions> | ||
| 33 | ····</ns0:questionnaire> | ||
| 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 35 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 23 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 36 | ······<ns0:actions> | 24 | ······<ns0:actions> |
| 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 38 | ······</ns0:actions> | 26 | ······</ns0:actions> |
| 39 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | ||
| 29 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | ||
| 30 | ······<ns0:actions> | ||
| 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | ||
| 32 | ······</ns0:actions> | ||
| 33 | ····</ns0:questionnaire> | ||
| 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> | 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 41 | ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> | 35 | ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 42 | ······<ns0:actions> | 36 | ······<ns0:actions> |
| 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> | 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 44 | ······</ns0:actions> | 38 | ······</ns0:actions> |
| 45 | ····</ns0:questionnaire> | 39 | ····</ns0:questionnaire> |
| 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> | ||
| 41 | ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> | ||
| 42 | ······<ns0:actions> | ||
| 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> | ||
| 44 | ······</ns0:actions> | ||
| 45 | ····</ns0:questionnaire> | ||
| 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> | 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 47 | ······<ns0:title>Disable·SSH·Root·Login</ns0:title> | 47 | ······<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 48 | ······<ns0:actions> | 48 | ······<ns0:actions> |
| 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> | 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 50 | ······</ns0:actions> | 50 | ······</ns0:actions> |
| 51 | ····</ns0:questionnaire> | 51 | ····</ns0:questionnaire> |
| 52 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> | 52 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> |
| 53 | ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> | 53 | ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> |
| 54 | ······<ns0:actions> | 54 | ······<ns0:actions> |
| 55 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> | 55 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> |
| 56 | ······</ns0:actions> | 56 | ······</ns0:actions> |
| 57 | ····</ns0:questionnaire> | 57 | ····</ns0:questionnaire> |
| 58 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ | 58 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> |
| 59 | ······<ns0:title>Ensure·Log·Files· | 59 | ······<ns0:title>Ensure·System·Log·Files·Have·Correct·Permissions</ns0:title> |
| 60 | ······<ns0:actions> | 60 | ······<ns0:actions> |
| 61 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_ | 61 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_permissions_action:testaction:1</ns0:test_action_ref> |
| 62 | ······</ns0:actions> | 62 | ······</ns0:actions> |
| 63 | ····</ns0:questionnaire> | 63 | ····</ns0:questionnaire> |
| 64 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> | 64 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"> |
| 65 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> | 65 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·User</ns0:title> |
| 66 | ······<ns0:actions> | 66 | ······<ns0:actions> |
| 67 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> | 67 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ns0:test_action_ref> |
| 68 | ······</ns0:actions> | 68 | ······</ns0:actions> |
| 69 | ····</ns0:questionnaire> | 69 | ····</ns0:questionnaire> |
| 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_p | 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 71 | ······<ns0:title>Ensure· | 71 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 72 | ······<ns0:actions> | 72 | ······<ns0:actions> |
| 73 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_p | 73 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 74 | ······</ns0:actions> | 74 | ······</ns0:actions> |
| 75 | ····</ns0:questionnaire> | 75 | ····</ns0:questionnaire> |
| 76 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | 76 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> |
| 77 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | 77 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> |
| 78 | ······<ns0:actions> | 78 | ······<ns0:actions> |
| 79 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | 79 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> |
| 80 | ······</ns0:actions> | 80 | ······</ns0:actions> |
| Offset 123, 26 lines modified | Offset 123, 26 lines modified | ||
| 123 | ····</ns0:questionnaire> | 123 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> | 124 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> |
| 125 | ······<ns0:title>Ensure·/home·Located·On·Separate·Partition</ns0:title> | 125 | ······<ns0:title>Ensure·/home·Located·On·Separate·Partition</ns0:title> |
| 126 | ······<ns0:actions> | 126 | ······<ns0:actions> |
| 127 | ········<ns0:test_action_ref>ocil:ssg-partition_for_home_action:testaction:1</ns0:test_action_ref> | 127 | ········<ns0:test_action_ref>ocil:ssg-partition_for_home_action:testaction:1</ns0:test_action_ref> |
| 128 | ······</ns0:actions> | 128 | ······</ns0:actions> |
| 129 | ····</ns0:questionnaire> | 129 | ····</ns0:questionnaire> |
| 130 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_tmp_ocil:questionnaire:1"> | ||
| 131 | ······<ns0:title>Ensure·/tmp·Located·On·Separate·Partition</ns0:title> | ||
| 132 | ······<ns0:actions> | ||
| 133 | ········<ns0:test_action_ref>ocil:ssg-partition_for_tmp_action:testaction:1</ns0:test_action_ref> | ||
| 134 | ······</ns0:actions> | ||
| 135 | ····</ns0:questionnaire> | ||
| 136 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_var_ocil:questionnaire:1"> | 130 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_var_ocil:questionnaire:1"> |
| 137 | ······<ns0:title>Ensure·/var·Located·On·Separate·Partition</ns0:title> | 131 | ······<ns0:title>Ensure·/var·Located·On·Separate·Partition</ns0:title> |
| 138 | ······<ns0:actions> | 132 | ······<ns0:actions> |
| 139 | ········<ns0:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ns0:test_action_ref> | 133 | ········<ns0:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ns0:test_action_ref> |
| 140 | ······</ns0:actions> | 134 | ······</ns0:actions> |
| 141 | ····</ns0:questionnaire> | 135 | ····</ns0:questionnaire> |
| 136 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_tmp_ocil:questionnaire:1"> | ||
| 137 | ······<ns0:title>Ensure·/tmp·Located·On·Separate·Partition</ns0:title> | ||
| 138 | ······<ns0:actions> | ||
| 139 | ········<ns0:test_action_ref>ocil:ssg-partition_for_tmp_action:testaction:1</ns0:test_action_ref> | ||
| 140 | ······</ns0:actions> | ||
| 141 | ····</ns0:questionnaire> | ||
| 142 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1"> | 142 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1"> |
| 143 | ······<ns0:title>Ensure·/var/log/audit·Located·On·Separate·Partition</ns0:title> | 143 | ······<ns0:title>Ensure·/var/log/audit·Located·On·Separate·Partition</ns0:title> |
| 144 | ······<ns0:actions> | 144 | ······<ns0:actions> |
| 145 | ········<ns0:test_action_ref>ocil:ssg-partition_for_var_log_audit_action:testaction:1</ns0:test_action_ref> | 145 | ········<ns0:test_action_ref>ocil:ssg-partition_for_var_log_audit_action:testaction:1</ns0:test_action_ref> |
| 146 | ······</ns0:actions> | 146 | ······</ns0:actions> |
| 147 | ····</ns0:questionnaire> | 147 | ····</ns0:questionnaire> |
| 148 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_var_log_ocil:questionnaire:1"> | 148 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_var_log_ocil:questionnaire:1"> |
| Offset 225, 39 lines modified | Offset 225, 39 lines modified | ||
| 225 | ······<ns0:when_true> | 225 | ······<ns0:when_true> |
| 226 | ········<ns0:result>PASS</ns0:result> | 226 | ········<ns0:result>PASS</ns0:result> |
| 227 | ······</ns0:when_true> | 227 | ······</ns0:when_true> |
| 228 | ······<ns0:when_false> | 228 | ······<ns0:when_false> |
| 229 | ········<ns0:result>FAIL</ns0:result> | 229 | ········<ns0:result>FAIL</ns0:result> |
| 230 | ······</ns0:when_false> | 230 | ······</ns0:when_false> |
| 231 | ····</ns0:boolean_question_test_action> | 231 | ····</ns0:boolean_question_test_action> |
| 232 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_ | 232 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_set_idle_timeout_action:testaction:1"·question_ref="ocil:ssg-sshd_set_idle_timeout_question:question:1"> |
| 233 | ······<ns0:when_true> | 233 | ······<ns0:when_true> |
| 234 | ········<ns0:result>PASS</ns0:result> | 234 | ········<ns0:result>PASS</ns0:result> |
| 235 | ······</ns0:when_true> | 235 | ······</ns0:when_true> |
| 236 | ······<ns0:when_false> | 236 | ······<ns0:when_false> |
| 237 | ········<ns0:result>FAIL</ns0:result> | 237 | ········<ns0:result>FAIL</ns0:result> |
| 238 | ······</ns0:when_false> | 238 | ······</ns0:when_false> |
| 239 | ····</ns0:boolean_question_test_action> | 239 | ····</ns0:boolean_question_test_action> |
| Max diff block lines reached; 12157/19840 bytes (61.28%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:26</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> | 12 | ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Debian·8</ns0:platform> | 14 | ··········<ns0:platform>Debian·8</ns0:platform> |
| Offset 160, 55 lines modified | Offset 160, 70 lines modified | ||
| 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> | 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 165 | ··</metadata> | 165 | ··</metadata> |
| 166 | ··<model·system="urn:xccdf:scoring:default"/> | 166 | ··<model·system="urn:xccdf:scoring:default"/> |
| 167 | ··<Profile·id=" | 167 | ··<Profile·id="standard"> |
| 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml"> | 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Standard·System·Security·Profile·for·Debian·8</title> |
| 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains· | 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·rules·to·ensure·standard·security·baseline |
| 170 | 170 | of·a·Debian·8·system.·Regardless·of·your·system's·workload | |
| 171 | 171 | all·of·these·checks·should·pass.</description> | |
| 172 | ····<select·idref="partition_for_tmp"·selected="true"/> | ||
| 173 | ····<select·idref="partition_for_var"·selected="true"/> | ||
| 174 | ····<select·idref="partition_for_var_log"·selected="true"/> | ||
| 175 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 176 | ····<select·idref="partition_for_home"·selected="true"/> | ||
| 177 | ····<select·idref="package_auditd_installed"·selected="true"/> | ||
| 178 | ····<select·idref="package_cron_installed"·selected="true"/> | ||
| 179 | ····<select·idref="package_ntp_installed"·selected="true"/> | ||
| 180 | ····<select·idref="package_rsyslog_installed"·selected="true"/> | ||
| 172 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 181 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 173 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 182 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 174 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 183 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 175 | ····<select·idref="package_nis_removed"·selected="true"/> | 184 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 176 | ····<select·idref="package_ | 185 | ····<select·idref="package_ntpdate_removed"·selected="true"/> |
| 186 | ····<select·idref="service_auditd_enabled"·selected="true"/> | ||
| 187 | ····<select·idref="service_cron_enabled"·selected="true"/> | ||
| 188 | ····<select·idref="service_ntp_enabled"·selected="true"/> | ||
| 177 | ····<select·idref="service_rsyslog_enabled"·selected="true"/> | 189 | ····<select·idref="service_rsyslog_enabled"·selected="true"/> |
| 178 | ····<select·idref=" | 190 | ····<select·idref="sshd_set_idle_timeout"·selected="true"/> |
| 179 | ····<select·idref="s | 191 | ····<select·idref="sshd_disable_root_login"·selected="true"/> |
| 180 | ····<select·idref=" | 192 | ····<select·idref="sshd_disable_empty_passwords"·selected="true"/> |
| 181 | ····<select·idref=" | 193 | ····<select·idref="sshd_allow_only_protocol2"·selected="true"/> |
| 194 | ····<select·idref="sshd_set_keepalive"·selected="true"/> | ||
| 195 | ····<select·idref="rsyslog_files_ownership"·selected="true"/> | ||
| 196 | ····<select·idref="rsyslog_files_groupownership"·selected="true"/> | ||
| 197 | ····<select·idref="rsyslog_files_permissions"·selected="true"/> | ||
| 198 | ····<select·idref="rsyslog_remote_loghost"·selected="false"/> | ||
| 199 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> | ||
| 200 | ····<select·idref="file_permissions_systemmap"·selected="true"/> | ||
| 182 | ····<select·idref="file_permissions_etc_shadow"·selected="true"/> | 201 | ····<select·idref="file_permissions_etc_shadow"·selected="true"/> |
| 183 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> | 202 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> |
| 184 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> | 203 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> |
| 185 | ····<select·idref="file_permissions_etc_group"·selected="true"/> | 204 | ····<select·idref="file_permissions_etc_group"·selected="true"/> |
| 205 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> | ||
| 206 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> | ||
| 207 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 208 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 186 | ····<select·idref="remediation_functions"·selected="false"/> | 209 | ····<select·idref="remediation_functions"·selected="false"/> |
| 187 | ····<select·idref=" | 210 | ····<select·idref="apt"·selected="false"/> |
| 188 | ····<select·idref="ssh"·selected="false"/> | ||
| 189 | ····<select·idref="ssh_server"·selected="false"/> | ||
| 190 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 211 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 191 | ····<select·idref=" | 212 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 192 | ····<select·idref=" | 213 | ····<select·idref="sudo"·selected="false"/> |
| 193 | ····<select·idref="fs-part"·selected="false"/> | ||
| 194 | ····<select·idref="installation-storage-partitioning"·selected="false"/> | ||
| 195 | ····<select·idref="fs-restrict"·selected="false"/> | ||
| 196 | ····<select·idref="accounts"·selected="false"/> | 214 | ····<select·idref="accounts"·selected="false"/> |
| 197 | ····<select·idref="accounts-restrictions"·selected="false"/> | 215 | ····<select·idref="accounts-restrictions"·selected="false"/> |
| 198 | ····<select·idref="permission_important_state_files"·selected="false"/> | ||
| 199 | ····<select·idref="restriction"·selected="false"/> | ||
| 200 | ····<select·idref="coredumps"·selected="false"/> | ||
| 201 | ····<select·idref="enable_execshield_settings"·selected="false"/> | ||
| 202 | ····<select·idref="hw-install"·selected="false"/> | 216 | ····<select·idref="hw-install"·selected="false"/> |
| 203 | ····<select·idref="software"·selected="false"/> | 217 | ····<select·idref="software"·selected="false"/> |
| 218 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | ||
| 204 | ··</Profile> | 219 | ··</Profile> |
| 205 | ··<Profile·id="anssi_np_nt28_ | 220 | ··<Profile·id="anssi_np_nt28_restrictive"> |
| 206 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28· | 221 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> |
| 207 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations· | 222 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> |
| 208 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | 223 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> |
| 209 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | 224 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> |
| 210 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 225 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 211 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 226 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 212 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 227 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 213 | ····<select·idref="package_nis_removed"·selected="true"/> | 228 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 214 | ····<select·idref="package_rsyslog_installed"·selected="true"/> | 229 | ····<select·idref="package_rsyslog_installed"·selected="true"/> |
| Offset 243, 19 lines modified | Offset 258, 19 lines modified | ||
| 243 | ····<select·idref="partition_for_var_log"·selected="true"/> | 258 | ····<select·idref="partition_for_var_log"·selected="true"/> |
| 244 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | 259 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> |
| 245 | ····<select·idref="partition_for_home"·selected="true"/> | 260 | ····<select·idref="partition_for_home"·selected="true"/> |
| 246 | ····<select·idref="package_auditd_installed"·selected="true"/> | 261 | ····<select·idref="package_auditd_installed"·selected="true"/> |
| 247 | ····<select·idref="package_cron_installed"·selected="true"/> | 262 | ····<select·idref="package_cron_installed"·selected="true"/> |
| 248 | ····<select·idref="service_auditd_enabled"·selected="true"/> | 263 | ····<select·idref="service_auditd_enabled"·selected="true"/> |
| 249 | ····<select·idref="service_ntp_enabled"·selected="true"/> | 264 | ····<select·idref="service_ntp_enabled"·selected="true"/> |
| 250 | ····<select·idref="grub2_enable_iommu_force"·selected="true"/> | ||
| 251 | ····<select·idref="remediation_functions"·selected="false"/> | 265 | ····<select·idref="remediation_functions"·selected="false"/> |
| 252 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 266 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 253 | ····<select·idref="accounts"·selected="false"/> | 267 | ····<select·idref="accounts"·selected="false"/> |
| 254 | ····<select·idref="accounts-restrictions"·selected="false"/> | 268 | ····<select·idref="accounts-restrictions"·selected="false"/> |
| 269 | ····<select·idref="hw-install"·selected="false"/> | ||
| 255 | ····<select·idref="software"·selected="false"/> | 270 | ····<select·idref="software"·selected="false"/> |
| 256 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 271 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 257 | ··</Profile> | 272 | ··</Profile> |
| 258 | ··<Profile·id="anssi_np_nt28_average"> | 273 | ··<Profile·id="anssi_np_nt28_average"> |
| 259 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> | 274 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> |
| 260 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> | 275 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> |
| 261 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | 276 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> |
| Offset 300, 70 lines modified | Offset 315, 55 lines modified | ||
| 300 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 315 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 301 | ····<select·idref="accounts"·selected="false"/> | 316 | ····<select·idref="accounts"·selected="false"/> |
| 302 | ····<select·idref="accounts-restrictions"·selected="false"/> | 317 | ····<select·idref="accounts-restrictions"·selected="false"/> |
| 303 | ····<select·idref="hw-install"·selected="false"/> | 318 | ····<select·idref="hw-install"·selected="false"/> |
| 304 | ····<select·idref="software"·selected="false"/> | 319 | ····<select·idref="software"·selected="false"/> |
| 305 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 320 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 306 | ··</Profile> | 321 | ··</Profile> |
| 307 | ··<Profile·id="st | 322 | ··<Profile·id="anssi_np_nt28_minimal"> |
| 308 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml"> | 323 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title> |
| 309 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains· | 324 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description> |
| 310 | 325 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | |
| 311 | 326 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | |
| 312 | ····<select·idref="partition_for_tmp"·selected="true"/> | ||
| 313 | ····<select·idref="partition_for_var"·selected="true"/> | ||
| 314 | ····<select·idref="partition_for_var_log"·selected="true"/> | ||
| 315 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 316 | ····<select·idref="partition_for_home"·selected="true"/> | ||
| 317 | ····<select·idref="package_auditd_installed"·selected="true"/> | ||
| 318 | ····<select·idref="package_cron_installed"·selected="true"/> | ||
| 319 | ····<select·idref="package_ntp_installed"·selected="true"/> | ||
| 320 | ····<select·idref="package_rsyslog_installed"·selected="true"/> | ||
| 321 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 327 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 322 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 328 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 323 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 329 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 324 | ····<select·idref="package_nis_removed"·selected="true"/> | 330 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 325 | ····<select·idref="package_ | 331 | ····<select·idref="package_rsyslog_installed"·selected="true"/> |
| Max diff block lines reached; 110102/120906 bytes (91.06%) of diff not shown. | |||
| Offset 1, 3 lines modified | Offset 1, 3 lines modified | ||
| 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary | 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary |
| 2 | -rw-r--r--···0········0········0·····5712·2018-07-26·14:58:28.000000·control.tar.xz | 2 | -rw-r--r--···0········0········0·····5712·2018-07-26·14:58:28.000000·control.tar.xz |
| 3 | -rw-r--r--···0········0········0··524 | 3 | -rw-r--r--···0········0········0··5243052·2018-07-26·14:58:28.000000·data.tar.xz |
| Offset 65, 15 lines modified | Offset 65, 15 lines modified | ||
| 65 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 65 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 66 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 66 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 67 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 67 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 68 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 68 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 69 | quality,·reliability,·or·any·other·characteristic. | 69 | quality,·reliability,·or·any·other·characteristic. |
| 70 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 70 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 71 | ····························(as·of·2018-07-26) | 71 | ····························(as·of·2018-07-26) |
| 72 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 72 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_im[·...·truncated·by·diffoscope;·len:·1051,·SHA1:·16d11bb4d21e01e6ba501025710e90c7dff143f7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 74 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 74 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 75 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 75 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 76 | ones·can·be·safely·disabled. | 76 | ones·can·be·safely·disabled. |
| 77 | <br><br> | 77 | <br><br> |
| 78 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 78 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 79 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 79 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 236, 96 lines modified | Offset 236, 14 lines modified | ||
| 236 | class·remove_httpd·{ | 236 | class·remove_httpd·{ |
| 237 | ··package·{·'httpd': | 237 | ··package·{·'httpd': |
| 238 | ····ensure·=>·'purged', | 238 | ····ensure·=>·'purged', |
| 239 | ··} | 239 | ··} |
| 240 | } | 240 | } |
| 241 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29183">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29183"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 241 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29183">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29183"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 242 | package·--remove=httpd | 242 | package·--remove=httpd |
| 243 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 244 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 245 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 246 | parameters·from·a·server. | ||
| 247 | <br><br> | ||
| 248 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 249 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 250 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 251 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 252 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 253 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 254 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 255 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 256 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29686"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 257 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 258 | the·dhcp·package·can·be·uninstalled. | ||
| 259 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 260 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 261 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 262 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 263 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29694">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29694"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 264 | # | ||
| 265 | #·Example·Call(s): | ||
| 266 | # | ||
| 267 | #·····package_remove·telnet-server | ||
| 268 | # | ||
| 269 | function·package_remove·{ | ||
| 270 | #·Load·function·arguments·into·local·variables | ||
| 271 | local·package="$1" | ||
| 272 | #·Check·sanity·of·the·input | ||
| 273 | if·[·$#·-ne·"1"·] | ||
| 274 | then | ||
| 275 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 276 | ··echo·"Aborting." | ||
| 277 | ··exit·1 | ||
| 278 | fi | ||
| 279 | if·which·dnf·;·then | ||
| 280 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 281 | ····dnf·remove·-y·"$package" | ||
| 282 | ··fi | ||
| 283 | elif·which·yum·;·then | ||
| 284 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 285 | ····yum·remove·-y·"$package" | ||
| 286 | ··fi | ||
| 287 | elif·which·apt-get·;·then | ||
| 288 | ··apt-get·remove·-y·"$package" | ||
| 289 | else | ||
| 290 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 291 | ··echo·"Aborting." | ||
| 292 | ··exit·1 | ||
| 293 | fi | ||
| 294 | } | ||
| 295 | package_remove·dhcp | ||
| 296 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29696">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29696"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 297 | ··package: | ||
| 298 | ····name="{{item}}" | ||
| 299 | ····state=absent | ||
| 300 | ··with_items: | ||
| 301 | ····-·dhcp | ||
| 302 | ··tags: | ||
| 303 | ····-·package_dhcp_removed | ||
| 304 | ····-·medium_severity | ||
| 305 | ····-·disable_strategy | ||
| 306 | ····-·low_complexity | ||
| 307 | ····-·low_disruption | ||
| 308 | ····-·CCE-27120-5 | ||
| 309 | ····-·NIST-800-53-CM-7 | ||
| 310 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29697">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29697"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 311 | class·remove_dhcp·{ | ||
| 312 | ··package·{·'dhcp': | ||
| 313 | ····ensure·=>·'purged', | ||
| 314 | ··} | ||
| 315 | } | ||
| 316 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29698">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29698"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 317 | package·--remove=dhcp | ||
| 318 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | 243 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 319 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 244 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 320 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 245 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 321 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 246 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 322 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 247 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 323 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 248 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 324 | outside·world. | 249 | outside·world. |
| Offset 345, 15 lines modified | Offset 263, 15 lines modified | ||
| 345 | <br><br> | 263 | <br><br> |
| 346 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 264 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 347 | servers,·and·the·remainder·obtaining·time·information·from·those | 265 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 348 | internal·servers. | 266 | internal·servers. |
| 349 | <br><br> | 267 | <br><br> |
| 350 | More·information·on·how·to·configure·the·NTP·server·software, | 268 | More·information·on·how·to·configure·the·NTP·server·software, |
| 351 | including·configuration·of·cryptographic·authentication·for | 269 | including·configuration·of·cryptographic·authentication·for |
| 352 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 270 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29619"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 353 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 271 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 354 | ·········· | 272 | ·········· |
| 355 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 273 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 356 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 274 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 357 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 275 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 358 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 276 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| Max diff block lines reached; 1633865/1653391 bytes (98.82%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_im[·...·truncated·by·diffoscope;·len:·1051,·SHA1:·16d11bb4d21e01e6ba501025710e90c7dff143f7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 77, 29 lines modified | Offset 77, 29 lines modified | ||
| 77 | <br><br> | 77 | <br><br> |
| 78 | However,·there·are·some·FTP·server·configurations·which·may | 78 | However,·there·are·some·FTP·server·configurations·which·may |
| 79 | be·appropriate·for·some·environments,·particularly·those·which | 79 | be·appropriate·for·some·environments,·particularly·those·which |
| 80 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | 80 | allow·only·read-only·anonymous·access·as·a·means·of·downloading |
| 81 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | 81 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 83 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | 83 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or |
| 84 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_ | 84 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29038"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users |
| 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 86 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 87 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 88 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 89 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29062"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | 90 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> |
| 86 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | 91 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: |
| 87 | <pre>xferlog_enable=YES | 92 | <pre>xferlog_enable=YES |
| 88 | xferlog_std_format=NO | 93 | xferlog_std_format=NO |
| 89 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | 94 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to |
| 90 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | 95 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log |
| 91 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 96 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 92 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 97 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 93 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_r | 98 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 94 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 95 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 96 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 97 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 98 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | ||
| 99 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all | 99 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 100 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | 100 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service |
| 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 102 | ············ | 102 | ············ |
| 103 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: | 103 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 104 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> | 104 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 105 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue | 105 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| Offset 528, 19 lines modified | Offset 528, 18 lines modified | ||
| 528 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_cgi_support">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>cgi</code>·module·allows·HTML·to·interact·with·the·CGI·web·programming·language. | 528 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_cgi_support">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>cgi</code>·module·allows·HTML·to·interact·with·the·CGI·web·programming·language. |
| 529 | <br><br> | 529 | <br><br> |
| 530 | If·this·functionality·is·unnecessary,·comment·out·the·module: | 530 | If·this·functionality·is·unnecessary,·comment·out·the·module: |
| 531 | <pre>#LoadModule·cgi_module·modules/mod_cgi.so</pre> | 531 | <pre>#LoadModule·cgi_module·modules/mod_cgi.so</pre> |
| 532 | If·the·web·server·requires·the·use·of·CGI,·enable·<code>mod_cgi</code>.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 532 | If·the·web·server·requires·the·use·of·CGI,·enable·<code>mod_cgi</code>.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 533 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 533 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 534 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_ | 534 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_digest_authentication"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_digest_authentication"·id="guide-tree-leaf-idm29440"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_digest_authentication">Disable·HTTP·Digest·Authentication |
| 535 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_ | 535 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_digest_authentication">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>auth_digest</code>·module·provides·encrypted·authentication·sessions. |
| 536 | 536 | If·this·functionality·is·unnecessary,·comment·out·the·related·module: | |
| 537 | <pre>#LoadModule· | 537 | <pre>#LoadModule·auth_digest_module·modules/mod_auth_digest.so</pre></p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 538 | This·functionality·weakens·server·security·by·making·site·enumeration·easier.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | ||
| 539 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 538 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 540 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_server_activity_status"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_server_activity_status"·id="guide-tree-leaf-idm29446"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_server_activity_status">Disable·Server·Activity·Status | 539 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_server_activity_status"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_server_activity_status"·id="guide-tree-leaf-idm29446"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_server_activity_status">Disable·Server·Activity·Status |
| 541 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_server_activity_status">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>status</code>·module·provides·real-time·access·to·statistics·on·the·internal·operation·of | 540 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_server_activity_status">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>status</code>·module·provides·real-time·access·to·statistics·on·the·internal·operation·of |
| 542 | the·web·server.·This·may·constitute·an·unnecessary·information·leak·and·should·be·disabled | 541 | the·web·server.·This·may·constitute·an·unnecessary·information·leak·and·should·be·disabled |
| 543 | unless·necessary.·To·do·so,·comment·out·the·related·module: | 542 | unless·necessary.·To·do·so,·comment·out·the·related·module: |
| 544 | <pre>#LoadModule·status_module·modules/mod_status.so</pre> | 543 | <pre>#LoadModule·status_module·modules/mod_status.so</pre> |
| 545 | If·there·is·a·critical·need·for·this·module,·ensure·that·access·to·the·status | 544 | If·there·is·a·critical·need·for·this·module,·ensure·that·access·to·the·status |
| Offset 551, 18 lines modified | Offset 550, 19 lines modified | ||
| 551 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_server_configuration_display">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>info</code>·module·creates·a·web·page·illustrating·the·configuration·of·the·web·server.·This | 550 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_server_configuration_display">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>info</code>·module·creates·a·web·page·illustrating·the·configuration·of·the·web·server.·This |
| 552 | can·create·an·unnecessary·security·leak·and·should·be·disabled. | 551 | can·create·an·unnecessary·security·leak·and·should·be·disabled. |
| 553 | If·its·functionality·is·unnecessary,·comment·out·the·module: | 552 | If·its·functionality·is·unnecessary,·comment·out·the·module: |
| 554 | <pre>#LoadModule·info_module·modules/mod_info.so</pre> | 553 | <pre>#LoadModule·info_module·modules/mod_info.so</pre> |
| 555 | If·there·is·a·critical·need·for·this·module,·use·the·<code>Location</code>·directive·to·provide | 554 | If·there·is·a·critical·need·for·this·module,·use·the·<code>Location</code>·directive·to·provide |
| 556 | an·access·control·list·to·restrict·access·to·the·information.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 555 | an·access·control·list·to·restrict·access·to·the·information.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 557 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 556 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 558 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_ | 557 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_url_correction"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_url_correction"·id="guide-tree-leaf-idm29459"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_url_correction">Disable·URL·Correction·on·Misspelled·Entries |
| 559 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_ | 558 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_url_correction">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>speling</code>·module·attempts·to·find·a·document·match·by·allowing·one·misspelling·in·an |
| 560 | If·this·functionality·is·unnecessary,·comment·out·th | 559 | otherwise·failed·request.·If·this·functionality·is·unnecessary,·comment·out·the·module: |
| 561 | <pre>#LoadModule· | 560 | <pre>#LoadModule·speling_module·modules/mod_speling.so</pre> |
| 561 | This·functionality·weakens·server·security·by·making·site·enumeration·easier.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | ||
| 562 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 562 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 563 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_mime_magic"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_mime_magic"·id="guide-tree-leaf-idm29465"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_mime_magic">Disable·MIME·Magic | 563 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_mime_magic"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_mime_magic"·id="guide-tree-leaf-idm29465"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_mime_magic">Disable·MIME·Magic |
| 564 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_mime_magic">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>mime_magic</code>·module·provides·a·second·layer·of·MIME·support·that·in·most·configurations | 564 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_mime_magic">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>mime_magic</code>·module·provides·a·second·layer·of·MIME·support·that·in·most·configurations |
| 565 | is·likely·extraneous.·If·its·functionality·is·unnecessary,·comment·out·the·related·module: | 565 | is·likely·extraneous.·If·its·functionality·is·unnecessary,·comment·out·the·related·module: |
| 566 | <pre>#LoadModule·mime_magic_module·modules/mod_mime_magic.so</pre></p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 566 | <pre>#LoadModule·mime_magic_module·modules/mod_mime_magic.so</pre></p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 567 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 567 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 568 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_webdav"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_webdav"·id="guide-tree-leaf-idm29471"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_webdav">Disable·WebDAV·(Distributed·Authoring·and·Versioning) | 568 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_webdav"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_webdav"·id="guide-tree-leaf-idm29471"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_webdav">Disable·WebDAV·(Distributed·Authoring·and·Versioning) |
| Offset 609, 105 lines modified | Offset 609, 15 lines modified | ||
| 609 | If·proxy·support·is·needed,·load·<code>mod_proxy</code>·and·the·appropriate·proxy·protocol·handler | 609 | If·proxy·support·is·needed,·load·<code>mod_proxy</code>·and·the·appropriate·proxy·protocol·handler |
| 610 | module·(one·of·<code>mod_proxy_http</code>,·<code>mod_proxy_ftp</code>,·or·<code>mod_proxy_connect</code>).·Additionally, | 610 | module·(one·of·<code>mod_proxy_http</code>,·<code>mod_proxy_ftp</code>,·or·<code>mod_proxy_connect</code>).·Additionally, |
| 611 | make·certain·that·a·server·is·secure·before·enabling·proxying,·as·open·proxy·servers | 611 | make·certain·that·a·server·is·secure·before·enabling·proxying,·as·open·proxy·servers |
| 612 | are·a·security·risk.·<code>mod_proxy_balancer</code>·enables·load·balancing,·but·requires·that | 612 | are·a·security·risk.·<code>mod_proxy_balancer</code>·enables·load·balancing,·but·requires·that |
| 613 | <code>mod·status</code>·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 613 | <code>mod·status</code>·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 614 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 614 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 615 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 615 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 616 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 617 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 618 | parameters·from·a·server. | ||
| 619 | <br><br> | ||
| 620 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 621 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 622 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 623 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 624 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 625 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 626 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 627 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 628 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29616"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 629 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 630 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 631 | following·changes: | ||
| 632 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 633 | <pre>BOOTPROTO=none</pre> | ||
| 634 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 635 | values·based·on·your·site's·addressing·scheme: | ||
| 636 | <pre>NETMASK=255.255.255.0 | ||
| 637 | IPADDR=192.168.1.2 | ||
| 638 | GATEWAY=192.168.1.1</pre> | ||
| 639 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 640 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 641 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 642 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 643 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| Max diff block lines reached; 2448350/2491659 bytes (98.26%) of diff not shown. | |||
| Offset 61, 15 lines modified | Offset 61, 15 lines modified | ||
| 61 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 61 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 62 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 62 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 63 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 63 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 64 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 64 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 65 | quality,·reliability,·or·any·other·characteristic. | 65 | quality,·reliability,·or·any·other·characteristic. |
| 66 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 66 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 67 | ····························(as·of·2018-07-26) | 67 | ····························(as·of·2018-07-26) |
| 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.conte[·...·truncated·by·diffoscope;·len:·622,·SHA1:·5fdea4aa41595454218b51257d3604d966d4890a·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 72 | ones·can·be·safely·disabled. | 72 | ones·can·be·safely·disabled. |
| 73 | <br><br> | 73 | <br><br> |
| 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 321, 255 lines modified | Offset 321, 15 lines modified | ||
| 321 | ····-·NIST-800-53-CM-7 | 321 | ····-·NIST-800-53-CM-7 |
| 322 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29267"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory | 322 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29267"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory |
| 323 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: | 323 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: |
| 324 | <pre>$·sudo·chmod·700·/var/log/httpd/</pre> | 324 | <pre>$·sudo·chmod·700·/var/log/httpd/</pre> |
| 325 | This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker | 325 | This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker |
| 326 | to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 326 | to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 327 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 327 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 328 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 328 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 329 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 330 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 331 | parameters·from·a·server. | ||
| 332 | <br><br> | ||
| 333 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 334 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 335 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 336 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 337 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 338 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 339 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 340 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 341 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29616"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 342 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 343 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 344 | following·changes: | ||
| 345 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 346 | <pre>BOOTPROTO=none</pre> | ||
| 347 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 348 | values·based·on·your·site's·addressing·scheme: | ||
| 349 | <pre>NETMASK=255.255.255.0 | ||
| 350 | IPADDR=192.168.1.2 | ||
| 351 | GATEWAY=192.168.1.1</pre> | ||
| 352 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 353 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 354 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 355 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 356 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 357 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dhcp_server_configuration">Disable·DHCP·Server | ||
| 358 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp_server_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·must·act·as·a·DHCP·server,·the·configuration | ||
| 359 | information·it·serves·should·be·minimized.·Also,·support·for·other·protocols | ||
| 360 | and·DNS-updating·schemes·should·be·explicitly·disabled·unless·needed.·The | ||
| 361 | configuration·file·for·dhcpd·is·called·<code>/etc/dhcp/dhcpd.conf</code>.·The·file | ||
| 362 | begins·with·a·number·of·global·configuration·options.·The·remainder·of·the·file | ||
| 363 | is·divided·into·sections,·one·for·each·block·of·addresses·offered·by·dhcpd, | ||
| 364 | each·of·which·contains·configuration·options·specific·to·that·address | ||
| 365 | block.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline"·id="guide-tree-leaf-idm29639"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline">Deny·Decline·Messages | ||
| 366 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·<code>/etc/dhcp/dhcpd.conf</code>·and·add·or·correct·the·following | ||
| 367 | global·option·to·prevent·the·DHCP·server·from·responding·the·DHCPDECLINE | ||
| 368 | messages,·if·possible:·<pre>deny·declines;</pre></p><span·class="label·label-primary">Rationale:</span><p>The·DHCPDECLINE·message·can·be·sent·by·a·DHCP·client·to·indicate | ||
| 369 | that·it·does·not·consider·the·lease·offered·by·the·server·to·be·valid.·By | ||
| 370 | issuing·many·DHCPDECLINE·messages,·a·malicious·client·can·exhaust·the·DHCP | ||
| 371 | server's·pool·of·IP·addresses,·causing·the·DHCP·server·to·forget·old·address | ||
| 372 | allocations.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 373 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 374 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns"·id="guide-tree-leaf-idm29648"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns">Do·Not·Use·Dynamic·DNS | ||
| 375 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·prevent·the·DHCP·server·from·receiving·DNS·information·from | ||
| 376 | clients,·edit·<code>/etc/dhcp/dhcpd.conf</code>,·and·add·or·correct·the·following·global | ||
| 377 | option:·<pre>ddns-update-style·none;</pre></p><span·class="label·label-primary">Rationale:</span><p>The·Dynamic·DNS·protocol·is·used·to·remotely·update·the·data·served | ||
| 378 | by·a·DNS·server.·DHCP·servers·can·use·Dynamic·DNS·to·publish·information·about | ||
| 379 | their·clients.·This·setup·carries·security·risks,·and·its·use·is·not | ||
| 380 | recommended.··If·Dynamic·DNS·must·be·used·despite·the·risks·it·poses,·it·is | ||
| 381 | critical·that·Dynamic·DNS·transactions·be·protected·using·TSIG·or·some·other | ||
| 382 | cryptographic·authentication·mechanism.·See·dhcpd.conf(5)·for·more·information | ||
| 383 | about·protecting·the·DHCP·server·from·passing·along·malicious·DNS·data·from·its | ||
| 384 | clients.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 385 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 386 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp"·id="guide-tree-leaf-idm29665"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp">Deny·BOOTP·Queries | ||
| 387 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unless·your·network·needs·to·support·older·BOOTP·clients,·disable | ||
| 388 | support·for·the·bootp·protocol·by·adding·or·correcting·the·global·option: | ||
| 389 | <pre>deny·bootp;</pre></p><span·class="label·label-primary">Rationale:</span><p>The·bootp·option·tells·dhcpd·to·respond·to·BOOTP·queries.·If·support | ||
| 390 | for·this·simpler·protocol·is·not·needed,·it·should·be·disabled·to·remove·attack | ||
| 391 | vectors·against·the·DHCP·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 392 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 393 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 394 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 395 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 396 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 397 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29686"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 398 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 399 | the·dhcp·package·can·be·uninstalled. | ||
| 400 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 401 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 402 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 403 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 404 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29694">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29694"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 405 | # | ||
| 406 | #·Example·Call(s): | ||
| 407 | # | ||
| 408 | #·····package_remove·telnet-server | ||
| 409 | # | ||
| 410 | function·package_remove·{ | ||
| 411 | #·Load·function·arguments·into·local·variables | ||
| 412 | local·package="$1" | ||
| 413 | #·Check·sanity·of·the·input | ||
| 414 | if·[·$#·-ne·"1"·] | ||
| 415 | then | ||
| 416 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 417 | ··echo·"Aborting." | ||
| 418 | ··exit·1 | ||
| 419 | fi | ||
| 420 | if·which·dnf·;·then | ||
| 421 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 422 | ····dnf·remove·-y·"$package" | ||
| 423 | ··fi | ||
| 424 | elif·which·yum·;·then | ||
| 425 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 426 | ····yum·remove·-y·"$package" | ||
| 427 | ··fi | ||
| Max diff block lines reached; 1728532/1760579 bytes (98.18%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_im[·...·truncated·by·diffoscope;·len:·1152,·SHA1:·dd5cc62f3a273462962f45a6acbfc2a35644bcb6·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| Offset 315, 45 lines modified | Offset 315, 15 lines modified | ||
| 315 | to·different·identity·and·authentication·providers·such·as·Red·Hat's·IdM,·Microsoft's·AD, | 315 | to·different·identity·and·authentication·providers·such·as·Red·Hat's·IdM,·Microsoft's·AD, |
| 316 | openLDAP,·MIT·Kerberos,·etc.·It·uses·a·common·framework·that·can·provide·caching·and·offline | 316 | openLDAP,·MIT·Kerberos,·etc.·It·uses·a·common·framework·that·can·provide·caching·and·offline |
| 317 | support·to·systems·utilizing·SSSD.·SSSD·using·caching·to·reduce·load·on·authentication | 317 | support·to·systems·utilizing·SSSD.·SSSD·using·caching·to·reduce·load·on·authentication |
| 318 | servers·permit·offline·authentication·as·well·as·store·extended·user·data. | 318 | servers·permit·offline·authentication·as·well·as·store·extended·user·data. |
| 319 | <br><br> | 319 | <br><br> |
| 320 | For·more·information,·see | 320 | For·more·information,·see |
| 321 | <b><a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html</a></b> | 321 | <b><a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html</a></b> |
| 322 | </p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sssd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 322 | </p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sssd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 323 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 324 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 325 | parameters·from·a·server. | ||
| 326 | <br><br> | ||
| 327 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 328 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 329 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 330 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 331 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 332 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 333 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 334 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 335 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dhcp_server_configuration">Disable·DHCP·Server | ||
| 336 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp_server_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·must·act·as·a·DHCP·server,·the·configuration | ||
| 337 | information·it·serves·should·be·minimized.·Also,·support·for·other·protocols | ||
| 338 | and·DNS-updating·schemes·should·be·explicitly·disabled·unless·needed.·The | ||
| 339 | configuration·file·for·dhcpd·is·called·<code>/etc/dhcp/dhcpd.conf</code>.·The·file | ||
| 340 | begins·with·a·number·of·global·configuration·options.·The·remainder·of·the·file | ||
| 341 | is·divided·into·sections,·one·for·each·block·of·addresses·offered·by·dhcpd, | ||
| 342 | each·of·which·contains·configuration·options·specific·to·that·address | ||
| 343 | block.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 344 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 345 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 346 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 347 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp_client_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_client_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dhcp_client_configuration">Configure·DHCP·Client·if·Necessary | ||
| 348 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp_client_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·DHCP·must·be·used,·then·certain·configuration·changes·can | ||
| 349 | minimize·the·amount·of·information·it·receives·and·applies·from·the·network, | ||
| 350 | and·thus·the·amount·of·incorrect·information·a·rogue·DHCP·server·could | ||
| 351 | successfully·distribute.··For·more·information·on·configuring·dhclient,·see·the | ||
| 352 | <code>dhclient(8)</code>·and·<code>dhclient.conf(5)</code>·man·pages.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 353 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 323 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 354 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 324 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 355 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 325 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 356 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 326 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 357 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 327 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 358 | outside·world. | 328 | outside·world. |
| 359 | <br><br> | 329 | <br><br> |
| Offset 401, 42 lines modified | Offset 371, 15 lines modified | ||
| 401 | installation.·The·multiple·security·models·implemented·by·SNMP·cannot·be·fully | 371 | installation.·The·multiple·security·models·implemented·by·SNMP·cannot·be·fully |
| 402 | covered·here·so·only·the·following·general·configuration·advice·can·be·offered: | 372 | covered·here·so·only·the·following·general·configuration·advice·can·be·offered: |
| 403 | <ul><li>use·only·SNMP·version·3·security·models·and·enable·the·use·of·authentication·and·encryption</li><li>write·access·to·the·MIB·(Management·Information·Base)·should·be·allowed·only·if·necessary</li><li>all·access·to·the·MIB·should·be·restricted·following·a·principle·of·least·privilege</li><li>network·access·should·be·limited·to·the·maximum·extent·possible·including·restricting·to·expected·network | 373 | <ul><li>use·only·SNMP·version·3·security·models·and·enable·the·use·of·authentication·and·encryption</li><li>write·access·to·the·MIB·(Management·Information·Base)·should·be·allowed·only·if·necessary</li><li>all·access·to·the·MIB·should·be·restricted·following·a·principle·of·least·privilege</li><li>network·access·should·be·limited·to·the·maximum·extent·possible·including·restricting·to·expected·network |
| 404 | addresses·both·in·the·configuration·files·and·in·the·system·firewall·rules</li><li>ensure·SNMP·agents·send·traps·only·to,·and·accept·SNMP·queries·only·from,·authorized·management | 374 | addresses·both·in·the·configuration·files·and·in·the·system·firewall·rules</li><li>ensure·SNMP·agents·send·traps·only·to,·and·accept·SNMP·queries·only·from,·authorized·management |
| 405 | stations</li><li>ensure·that·permissions·on·the·<code>snmpd.conf</code>·configuration·file·(by·default,·in·<code>/etc/snmp</code>)·are·640·or·more·restrictive</li><li>ensure·that·any·MIB·files'·permissions·are·also·640·or·more·restrictive</li></ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_snmp_configure_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_snmp_service"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_snmp_service">Disable·SNMP·Server·if·Possible | 375 | stations</li><li>ensure·that·permissions·on·the·<code>snmpd.conf</code>·configuration·file·(by·default,·in·<code>/etc/snmp</code>)·are·640·or·more·restrictive</li><li>ensure·that·any·MIB·files'·permissions·are·also·640·or·more·restrictive</li></ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_snmp_configure_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_snmp_service"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_snmp_service">Disable·SNMP·Server·if·Possible |
| 406 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_snmp_service">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·system·includes·an·SNMP·daemon·that·allows·for·its·remote | 376 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_snmp_service">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·system·includes·an·SNMP·daemon·that·allows·for·its·remote |
| 407 | monitoring,·though·it·not·installed·by·default.·If·it·was·installed·and | 377 | monitoring,·though·it·not·installed·by·default.·If·it·was·installed·and |
| 408 | activated·but·is·not·needed,·the·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 378 | activated·but·is·not·needed,·the·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 409 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 410 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 411 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 412 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 413 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_restrict_at_cron_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_restrict_at_cron_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_restrict_at_cron_users">Restrict·at·and·cron·to·Authorized·Users·if·Necessary | ||
| 414 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_restrict_at_cron_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>/etc/cron.allow</code>·and·<code>/etc/at.allow</code>·files·contain·lists·of·users·who·are·allowed | ||
| 415 | to·use·cron·and·at·to·delay·execution·of·processes.·If·these·files·exist·and | ||
| 416 | if·the·corresponding·files·<code>/etc/cron.deny</code>·and·<code>/etc/at.deny</code>·do·not·exist, | ||
| 417 | then·only·users·listed·in·the·relevant·allow·files·can·run·the·crontab·and·at | ||
| 418 | commands·to·submit·jobs·to·be·run·at·scheduled·intervals. | ||
| 419 | On·many·systems,·only·the·system·administrator·needs·the·ability·to·schedule | ||
| 420 | jobs.·Note·that·even·if·a·given·user·is·not·listed·in·<code>cron.allow</code>,·cron·jobs·can | ||
| 421 | still·be·run·as·that·user.·The·<code>cron.allow</code>·file·controls·only·administrative·access | ||
| 422 | to·the·crontab·command·for·scheduling·and·modifying·cron·jobs. | ||
| 423 | <br> | ||
| 424 | <br> | ||
| 425 | To·restrict·at·and·cron·to·only·authorized·users: | ||
| 426 | <ul><li>Remove·the·cron.deny·file:<pre>$·sudo·rm·/etc/cron.deny</pre></li><li>Edit·<code>/etc/cron.allow</code>,·adding·one·line·for·each·user·allowed·to·use·the·crontab·command·to·create·cron·jobs.</li><li>Remove·the·<code>at.deny</code>·file:<pre>$·sudo·rm·/etc/at.deny</pre></li><li>Edit·<code>/etc/at.allow</code>,·adding·one·line·for·each·user·allowed·to·use·the·at·command·to·create·at·jobs.</li></ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_restrict_at_cron_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_xwindows"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_xwindows">X·Window·System | ||
| 427 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_xwindows">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·X·Window·System·implementation·included·with·the | ||
| 428 | system·is·called·X.org.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_xwindows"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_xwindows"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_xwindows">Disable·X·Windows | ||
| 429 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_xwindows">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Unless·there·is·a·mission-critical·reason·for·the | ||
| 430 | system·to·run·a·graphical·user·interface,·ensure·X·is·not·set·to·start | ||
| 431 | automatically·at·boot·and·remove·the·X·Windows·software·packages. | ||
| 432 | There·is·usually·no·reason·to·run·X·Windows | ||
| 433 | on·a·dedicated·server·system,·as·it·increases·the·system's·attack·surface·and·consumes | ||
| 434 | system·resources.·Administrators·of·server·systems·should·instead·login·via | ||
| 435 | SSH·or·on·the·text·console.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_xwindows"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services | ||
| 436 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible | 379 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible |
| 437 | services·which·have·historically·caused·problems·for·system | 380 | services·which·have·historically·caused·problems·for·system |
| 438 | security,·and·for·which·disabling·or·severely·limiting·the·service | 381 | security,·and·for·which·disabling·or·severely·limiting·the·service |
| 439 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of | 382 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of |
| 440 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·6 | 383 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·6 |
| 441 | by·default. | 384 | by·default. |
| 442 | <br><br> | 385 | <br><br> |
| Offset 470, 138 lines modified | Offset 413, 128 lines modified | ||
| 470 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 413 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 471 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 414 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 472 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 415 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 473 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 416 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 474 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 417 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 475 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·6.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services | 418 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·6.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services |
| 476 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages | 419 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages |
| 477 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 420 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ldap">LDAP |
| 478 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 421 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>LDAP·is·a·popular·directory·service,·that·is,·a |
| 479 | 422 | standardized·way·of·looking·up·information·from·a·central·database. | |
| 480 | 423 | Red·Hat·Enterprise·Linux·6·includes·software·that·enables·a·system·to·act·as·both | |
| 481 | and·then·detail | 424 | an·LDAP·client·and·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openldap_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openldap_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ldap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_openldap_server">Configure·OpenLDAP·Server |
| 482 | 425 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openldap_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·details·some·security-relevant·settings | |
| 483 | 426 | for·an·OpenLDAP·server.··Installation·and·configuration·of·OpenLDAP·on·Red·Hat·Enterprise·Linux·6·is·available·at: | |
| 484 | 427 | <a·href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openldap_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ldap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openldap_server"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files">Install·and·Protect·LDAP·Certificate·Files | |
| 485 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 428 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Create·the·PKI·directory·for·LDAP·certificates·if·it·does·not·already·exist: |
| 486 | 429 | <pre>$·sudo·mkdir·/etc/pki/tls/ldap | |
| 487 | 430 | $·sudo·chown·root:root·/etc/pki/tls/ldap | |
| 488 | 431 | $·sudo·chmod·755·/etc/pki/tls/ldap</pre> | |
| 489 | 432 | Using·removable·media·or·some·other·secure·transmission·format,·install·the·certificate·files | |
| 490 | 433 | onto·the·LDAP·server: | |
| 491 | 434 | <ul><li><code>/etc/pki/tls/ldap/serverkey.pem</code>:·the·private·key·<code>ldapserverkey.pem</code></li><li><code>/etc/pki/tls/ldap/servercert.pem</code>:·the·certificate·file·<code>ldapservercert.pem</code></li></ul> | |
| Max diff block lines reached; 167027/225897 bytes (73.94%) of diff not shown. | |||
| Offset 57, 15 lines modified | Offset 57, 15 lines modified | ||
| 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·887,·SHA1:·65d32b80d8d9fc9390e2f6a61646977453fe2c7d·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 432, 198 lines modified | Offset 432, 14 lines modified | ||
| 432 | class·remove_httpd·{ | 432 | class·remove_httpd·{ |
| 433 | ··package·{·'httpd': | 433 | ··package·{·'httpd': |
| 434 | ····ensure·=>·'purged', | 434 | ····ensure·=>·'purged', |
| 435 | ··} | 435 | ··} |
| 436 | } | 436 | } |
| 437 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29183">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29183"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 437 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29183">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29183"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 438 | package·--remove=httpd | 438 | package·--remove=httpd |
| 439 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 440 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 441 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 442 | parameters·from·a·server. | ||
| 443 | <br><br> | ||
| 444 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 445 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 446 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 447 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 448 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 449 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 450 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 451 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 452 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29686"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 453 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 454 | the·dhcp·package·can·be·uninstalled. | ||
| 455 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 456 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 457 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 458 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 459 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29694">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29694"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 460 | # | ||
| 461 | #·Example·Call(s): | ||
| 462 | # | ||
| 463 | #·····package_remove·telnet-server | ||
| 464 | # | ||
| 465 | function·package_remove·{ | ||
| 466 | #·Load·function·arguments·into·local·variables | ||
| 467 | local·package="$1" | ||
| 468 | #·Check·sanity·of·the·input | ||
| 469 | if·[·$#·-ne·"1"·] | ||
| 470 | then | ||
| 471 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 472 | ··echo·"Aborting." | ||
| 473 | ··exit·1 | ||
| 474 | fi | ||
| 475 | if·which·dnf·;·then | ||
| 476 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 477 | ····dnf·remove·-y·"$package" | ||
| 478 | ··fi | ||
| 479 | elif·which·yum·;·then | ||
| 480 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 481 | ····yum·remove·-y·"$package" | ||
| 482 | ··fi | ||
| 483 | elif·which·apt-get·;·then | ||
| 484 | ··apt-get·remove·-y·"$package" | ||
| 485 | else | ||
| 486 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 487 | ··echo·"Aborting." | ||
| 488 | ··exit·1 | ||
| 489 | fi | ||
| 490 | } | ||
| 491 | package_remove·dhcp | ||
| 492 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29696">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29696"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 493 | ··package: | ||
| 494 | ····name="{{item}}" | ||
| 495 | ····state=absent | ||
| 496 | ··with_items: | ||
| 497 | ····-·dhcp | ||
| 498 | ··tags: | ||
| 499 | ····-·package_dhcp_removed | ||
| 500 | ····-·medium_severity | ||
| 501 | ····-·disable_strategy | ||
| 502 | ····-·low_complexity | ||
| 503 | ····-·low_disruption | ||
| 504 | ····-·CCE-27120-5 | ||
| 505 | ····-·NIST-800-53-CM-7 | ||
| 506 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29697">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29697"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 507 | class·remove_dhcp·{ | ||
| 508 | ··package·{·'dhcp': | ||
| 509 | ····ensure·=>·'purged', | ||
| 510 | ··} | ||
| 511 | } | ||
| 512 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29698">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29698"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 513 | package·--remove=dhcp | ||
| 514 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·id="guide-tree-leaf-idm29703"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">Disable·DHCP·Service | ||
| 515 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>dhcpd</code>·service·should·be·disabled·on | ||
| 516 | any·system·that·does·not·need·to·act·as·a·DHCP·server. | ||
| 517 | ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: | ||
| 518 | ········<pre>$·sudo·chkconfig·dhcpd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>Unmanaged·or·unintentionally·activated·DHCP·servers·may·provide·faulty·information | ||
| 519 | to·clients,·interfering·with·the·operation·of·a·legitimate·site | ||
| 520 | DHCP·server·if·there·is·one.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 521 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 522 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29712">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29712"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 523 | # | ||
| 524 | #·Example·Call(s): | ||
| 525 | # | ||
| 526 | #·····service_command·enable·bluetooth | ||
| 527 | #·····service_command·disable·bluetooth.service | ||
| 528 | # | ||
| 529 | #·····Using·xinetd: | ||
| 530 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 531 | # | ||
| 532 | function·service_command·{ | ||
| 533 | #·Load·function·arguments·into·local·variables | ||
| Max diff block lines reached; 1793881/1815410 bytes (98.81%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·81,·SHA1:·41be5defbc9b88735c60d3c6378434afc19f29f2·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 91, 15 lines modified | Offset 91, 15 lines modified | ||
| 91 | <br><br> | 91 | <br><br> |
| 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 93 | servers,·and·the·remainder·obtaining·time·information·from·those | 93 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 94 | internal·servers. | 94 | internal·servers. |
| 95 | <br><br> | 95 | <br><br> |
| 96 | More·information·on·how·to·configure·the·NTP·server·software, | 96 | More·information·on·how·to·configure·the·NTP·server·software, |
| 97 | including·configuration·of·cryptographic·authentication·for | 97 | including·configuration·of·cryptographic·authentication·for |
| 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29619"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 100 | ·········· | 100 | ·········· |
| 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 108, 15 lines modified | Offset 108, 15 lines modified | ||
| 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 109 | logs·and·auditing·possible·security·breaches.·· | 109 | logs·and·auditing·possible·security·breaches.·· |
| 110 | <br><br> | 110 | <br><br> |
| 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 112 | deprecated.··Additional·information·on·this·is·available·at· | 112 | deprecated.··Additional·information·on·this·is·available·at· |
| 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29636">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29636"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 116 | # | 116 | # |
| 117 | #·Example·Call(s): | 117 | #·Example·Call(s): |
| 118 | # | 118 | # |
| 119 | #·····service_command·enable·bluetooth | 119 | #·····service_command·enable·bluetooth |
| 120 | #·····service_command·disable·bluetooth.service | 120 | #·····service_command·disable·bluetooth.service |
| 121 | # | 121 | # |
| 122 | #·····Using·xinetd: | 122 | #·····Using·xinetd: |
| Offset 184, 15 lines modified | Offset 184, 15 lines modified | ||
| 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 185 | ··fi | 185 | ··fi |
| 186 | fi | 186 | fi |
| 187 | } | 187 | } |
| 188 | service_command·enable·ntpd | 188 | service_command·enable·ntpd |
| 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29638">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29638"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 190 | ··service: | 190 | ··service: |
| 191 | ····name="{{item}}" | 191 | ····name="{{item}}" |
| 192 | ····enabled="yes" | 192 | ····enabled="yes" |
| 193 | ····state="started" | 193 | ····state="started" |
| 194 | ··with_items: | 194 | ··with_items: |
| 195 | ····-·ntpd | 195 | ····-·ntpd |
| 196 | ··tags: | 196 | ··tags: |
| Offset 201, 248 lines modified | Offset 201, 35 lines modified | ||
| 201 | ····-·enable_strategy | 201 | ····-·enable_strategy |
| 202 | ····-·low_complexity | 202 | ····-·low_complexity |
| 203 | ····-·low_disruption | 203 | ····-·low_disruption |
| 204 | ····-·CCE-27093-4 | 204 | ····-·CCE-27093-4 |
| 205 | ····-·NIST-800-53-AU-8(1) | 205 | ····-·NIST-800-53-AU-8(1) |
| 206 | ····-·PCI-DSS-Req-10.4 | 206 | ····-·PCI-DSS-Req-10.4 |
| 207 | ····-·DISA-STIG-RHEL-06-000247 | 207 | ····-·DISA-STIG-RHEL-06-000247 |
| 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_ | 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29643"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | ||
| 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | ||
| 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | ||
| 212 | <em>ntpserver</em>: | ||
| 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | ||
| 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | ||
| 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | ||
| 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29788"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server | ||
| 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 210 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 211 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 222 | <pre>server·<i>ntpserver</i></pre> | 212 | <pre>server·<i>ntpserver</i></pre> |
| 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 213 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 214 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 215 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 226 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 216 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 227 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 217 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 228 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_ | 218 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29661"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 229 | ···················· | 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization |
| 230 | 220 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | |
| 231 | 221 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | |
| 232 | 222 | <em>ntpserver</em>: | |
| 233 | 223 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | |
| 234 | 224 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | |
| 235 | 225 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | |
| 236 | 226 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 237 | ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command: | ||
| 238 | ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks, | ||
| 239 | enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 240 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 241 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29973">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29973"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 242 | # | ||
| 243 | #·Example·Call(s): | ||
| 244 | # | ||
| 245 | #·····service_command·enable·bluetooth | ||
| 246 | #·····service_command·disable·bluetooth.service | ||
| 247 | # | ||
| 248 | #·····Using·xinetd: | ||
| 249 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 250 | # | ||
| 251 | function·service_command·{ | ||
| 252 | #·Load·function·arguments·into·local·variables | ||
| 253 | local·service_state=$1 | ||
| 254 | local·service=$2 | ||
| 255 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 256 | #·Check·sanity·of·the·input | ||
| 257 | if·[·$#·-lt·"2"·] | ||
| 258 | then | ||
| 259 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 260 | ··echo | ||
| Max diff block lines reached; 1906633/1934179 bytes (98.58%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><[·...·truncated·by·diffoscope;·len:·661,·SHA1:·0654191da42b7edd25844a8803051c26453d234e·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 87, 41 lines modified | Offset 87, 41 lines modified | ||
| 87 | identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·id="guide-tree-leaf-idm29002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">Restrict·Access·to·Anonymous·Users·if·Possible | 87 | identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·id="guide-tree-leaf-idm29002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">Restrict·Access·to·Anonymous·Users·if·Possible |
| 88 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than | 88 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than |
| 89 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: | 89 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: |
| 90 | <pre>local_enable=NO</pre> | 90 | <pre>local_enable=NO</pre> |
| 91 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure | 91 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure |
| 92 | these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 92 | these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 94 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_ | 94 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29038"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users |
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 96 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 97 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 98 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 99 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·id="guide-tree-leaf-idm29051"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads">Disable·FTP·Uploads·if·Possible | ||
| 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, | ||
| 101 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | ||
| 102 | <pre>write_enable=NO</pre> | ||
| 103 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | ||
| 104 | as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less | ||
| 105 | common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it | ||
| 106 | is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 107 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_home_partition"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_home_partition"·id="guide-tree-leaf-idm29058"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_home_partition">Place·the·FTP·Home·Directory·on·its·Own·Partition | ||
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can | 108 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can |
| 96 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent | 109 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent |
| 97 | these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 110 | these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 98 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm290 | 111 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29062"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions |
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | 112 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> |
| 100 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | 113 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: |
| 101 | <pre>xferlog_enable=YES | 114 | <pre>xferlog_enable=YES |
| 102 | xferlog_std_format=NO | 115 | xferlog_std_format=NO |
| 103 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | 116 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to |
| 104 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | 117 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log |
| 105 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 118 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 106 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 119 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 107 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_r | 120 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 108 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, | ||
| 109 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | ||
| 110 | <pre>write_enable=NO</pre> | ||
| 111 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | ||
| 112 | as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less | ||
| 113 | common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it | ||
| 114 | is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 115 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29063"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 116 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 117 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 118 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 119 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 120 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 121 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and | 121 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and |
| 122 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package | 122 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package |
| 123 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. | 123 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. |
| 124 | <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security | 124 | <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security |
| 125 | and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 125 | and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 126 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 126 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 127 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29086">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29086"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 127 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29086">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29086"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| Offset 181, 44 lines modified | Offset 181, 15 lines modified | ||
| 181 | class·install_vsftpd·{ | 181 | class·install_vsftpd·{ |
| 182 | ··package·{·'vsftpd': | 182 | ··package·{·'vsftpd': |
| 183 | ····ensure·=>·'installed', | 183 | ····ensure·=>·'installed', |
| 184 | ··} | 184 | ··} |
| 185 | } | 185 | } |
| 186 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> | 186 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> |
| 187 | package·--add=vsftpd | 187 | package·--add=vsftpd |
| 188 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 188 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 189 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 190 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 191 | parameters·from·a·server. | ||
| 192 | <br><br> | ||
| 193 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 194 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 195 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 196 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 197 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 198 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 199 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 200 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 201 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29616"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 203 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 204 | following·changes: | ||
| 205 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 206 | <pre>BOOTPROTO=none</pre> | ||
| 207 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 208 | values·based·on·your·site's·addressing·scheme: | ||
| 209 | <pre>NETMASK=255.255.255.0 | ||
| 210 | IPADDR=192.168.1.2 | ||
| 211 | GATEWAY=192.168.1.1</pre> | ||
| 212 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 213 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 214 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 215 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 216 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 217 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 218 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 189 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 219 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 190 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 220 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 191 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 221 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 192 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 222 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 193 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 223 | outside·world. | 194 | outside·world. |
| 224 | <br><br> | 195 | <br><br> |
| Offset 237, 15 lines modified | Offset 208, 15 lines modified | ||
| 237 | <br><br> | 208 | <br><br> |
| 238 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 209 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 239 | servers,·and·the·remainder·obtaining·time·information·from·those | 210 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 240 | internal·servers. | 211 | internal·servers. |
| 241 | <br><br> | 212 | <br><br> |
| 242 | More·information·on·how·to·configure·the·NTP·server·software, | 213 | More·information·on·how·to·configure·the·NTP·server·software, |
| 243 | including·configuration·of·cryptographic·authentication·for | 214 | including·configuration·of·cryptographic·authentication·for |
| 244 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 215 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29619"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 245 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 216 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 246 | ·········· | 217 | ·········· |
| 247 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 218 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| Max diff block lines reached; 1857686/1889645 bytes (98.31%) of diff not shown. | |||
| Offset 61, 15 lines modified | Offset 61, 15 lines modified | ||
| 61 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 61 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 62 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 62 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 63 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 63 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 64 | quality,·reliability,·or·any·other·characteristic. | 64 | quality,·reliability,·or·any·other·characteristic. |
| 65 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· | 65 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· |
| 66 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 66 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 67 | ····························(as·of·2018-07-26) | 67 | ····························(as·of·2018-07-26) |
| 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#x[·...·truncated·by·diffoscope;·len:·732,·SHA1:·2219f187bb27e11bbb6b7ed4731606f600bfb059·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 72 | ones·can·be·safely·disabled. | 72 | ones·can·be·safely·disabled. |
| 73 | <br><br> | 73 | <br><br> |
| 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 333, 218 lines modified | Offset 333, 14 lines modified | ||
| 333 | class·remove_httpd·{ | 333 | class·remove_httpd·{ |
| 334 | ··package·{·'httpd': | 334 | ··package·{·'httpd': |
| 335 | ····ensure·=>·'purged', | 335 | ····ensure·=>·'purged', |
| 336 | ··} | 336 | ··} |
| 337 | } | 337 | } |
| 338 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29183">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29183"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 338 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29183">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29183"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 339 | package·--remove=httpd | 339 | package·--remove=httpd |
| 340 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 341 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 342 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 343 | parameters·from·a·server. | ||
| 344 | <br><br> | ||
| 345 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 346 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 347 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 348 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 349 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 350 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 351 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 352 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 353 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29616"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 354 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 355 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 356 | following·changes: | ||
| 357 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 358 | <pre>BOOTPROTO=none</pre> | ||
| 359 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 360 | values·based·on·your·site's·addressing·scheme: | ||
| 361 | <pre>NETMASK=255.255.255.0 | ||
| 362 | IPADDR=192.168.1.2 | ||
| 363 | GATEWAY=192.168.1.1</pre> | ||
| 364 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 365 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 366 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 367 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 368 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 369 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 370 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 371 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 372 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 373 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29686"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 374 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 375 | the·dhcp·package·can·be·uninstalled. | ||
| 376 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 377 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 378 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 380 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29694">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29694"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 381 | # | ||
| 382 | #·Example·Call(s): | ||
| 383 | # | ||
| 384 | #·····package_remove·telnet-server | ||
| 385 | # | ||
| 386 | function·package_remove·{ | ||
| 387 | #·Load·function·arguments·into·local·variables | ||
| 388 | local·package="$1" | ||
| 389 | #·Check·sanity·of·the·input | ||
| 390 | if·[·$#·-ne·"1"·] | ||
| 391 | then | ||
| 392 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 393 | ··echo·"Aborting." | ||
| 394 | ··exit·1 | ||
| 395 | fi | ||
| 396 | if·which·dnf·;·then | ||
| 397 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 398 | ····dnf·remove·-y·"$package" | ||
| 399 | ··fi | ||
| 400 | elif·which·yum·;·then | ||
| 401 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 402 | ····yum·remove·-y·"$package" | ||
| 403 | ··fi | ||
| 404 | elif·which·apt-get·;·then | ||
| 405 | ··apt-get·remove·-y·"$package" | ||
| 406 | else | ||
| 407 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 408 | ··echo·"Aborting." | ||
| 409 | ··exit·1 | ||
| 410 | fi | ||
| 411 | } | ||
| 412 | package_remove·dhcp | ||
| 413 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29696">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29696"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 414 | ··package: | ||
| 415 | ····name="{{item}}" | ||
| 416 | ····state=absent | ||
| 417 | ··with_items: | ||
| 418 | ····-·dhcp | ||
| 419 | ··tags: | ||
| 420 | ····-·package_dhcp_removed | ||
| 421 | ····-·medium_severity | ||
| 422 | ····-·disable_strategy | ||
| 423 | ····-·low_complexity | ||
| 424 | ····-·low_disruption | ||
| 425 | ····-·CCE-27120-5 | ||
| 426 | ····-·NIST-800-53-CM-7 | ||
| 427 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29697">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29697"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 428 | class·remove_dhcp·{ | ||
| 429 | ··package·{·'dhcp': | ||
| 430 | ····ensure·=>·'purged', | ||
| 431 | ··} | ||
| 432 | } | ||
| 433 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29698">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29698"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 434 | package·--remove=dhcp | ||
| 435 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·id="guide-tree-leaf-idm29703"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">Disable·DHCP·Service | ||
| 436 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>dhcpd</code>·service·should·be·disabled·on | ||
| Max diff block lines reached; 2169348/2193160 bytes (98.91%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 91, 15 lines modified | Offset 91, 15 lines modified | ||
| 91 | <br><br> | 91 | <br><br> |
| 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 93 | servers,·and·the·remainder·obtaining·time·information·from·those | 93 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 94 | internal·servers. | 94 | internal·servers. |
| 95 | <br><br> | 95 | <br><br> |
| 96 | More·information·on·how·to·configure·the·NTP·server·software, | 96 | More·information·on·how·to·configure·the·NTP·server·software, |
| 97 | including·configuration·of·cryptographic·authentication·for | 97 | including·configuration·of·cryptographic·authentication·for |
| 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29619"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 100 | ·········· | 100 | ·········· |
| 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 108, 15 lines modified | Offset 108, 15 lines modified | ||
| 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 109 | logs·and·auditing·possible·security·breaches.·· | 109 | logs·and·auditing·possible·security·breaches.·· |
| 110 | <br><br> | 110 | <br><br> |
| 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 112 | deprecated.··Additional·information·on·this·is·available·at· | 112 | deprecated.··Additional·information·on·this·is·available·at· |
| 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29636">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29636"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 116 | # | 116 | # |
| 117 | #·Example·Call(s): | 117 | #·Example·Call(s): |
| 118 | # | 118 | # |
| 119 | #·····service_command·enable·bluetooth | 119 | #·····service_command·enable·bluetooth |
| 120 | #·····service_command·disable·bluetooth.service | 120 | #·····service_command·disable·bluetooth.service |
| 121 | # | 121 | # |
| 122 | #·····Using·xinetd: | 122 | #·····Using·xinetd: |
| Offset 184, 15 lines modified | Offset 184, 15 lines modified | ||
| 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 185 | ··fi | 185 | ··fi |
| 186 | fi | 186 | fi |
| 187 | } | 187 | } |
| 188 | service_command·enable·ntpd | 188 | service_command·enable·ntpd |
| 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29638">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29638"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 190 | ··service: | 190 | ··service: |
| 191 | ····name="{{item}}" | 191 | ····name="{{item}}" |
| 192 | ····enabled="yes" | 192 | ····enabled="yes" |
| 193 | ····state="started" | 193 | ····state="started" |
| 194 | ··with_items: | 194 | ··with_items: |
| 195 | ····-·ntpd | 195 | ····-·ntpd |
| 196 | ··tags: | 196 | ··tags: |
| Offset 201, 48 lines modified | Offset 201, 48 lines modified | ||
| 201 | ····-·enable_strategy | 201 | ····-·enable_strategy |
| 202 | ····-·low_complexity | 202 | ····-·low_complexity |
| 203 | ····-·low_disruption | 203 | ····-·low_disruption |
| 204 | ····-·CCE-27093-4 | 204 | ····-·CCE-27093-4 |
| 205 | ····-·NIST-800-53-AU-8(1) | 205 | ····-·NIST-800-53-AU-8(1) |
| 206 | ····-·PCI-DSS-Req-10.4 | 206 | ····-·PCI-DSS-Req-10.4 |
| 207 | ····-·DISA-STIG-RHEL-06-000247 | 207 | ····-·DISA-STIG-RHEL-06-000247 |
| 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_ | 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29643"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | ||
| 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | ||
| 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | ||
| 212 | <em>ntpserver</em>: | ||
| 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | ||
| 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | ||
| 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | ||
| 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29788"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server | ||
| 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 210 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 211 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 222 | <pre>server·<i>ntpserver</i></pre> | 212 | <pre>server·<i>ntpserver</i></pre> |
| 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 213 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 214 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 215 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 226 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 216 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 227 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 217 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 228 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_ | 218 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29661"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | ||
| 220 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | ||
| 221 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | ||
| 222 | <em>ntpserver</em>: | ||
| 223 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | ||
| 224 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | ||
| 225 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | ||
| 226 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 227 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 228 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ssh">SSH·Server | ||
| 229 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·SSH·protocol·is·recommended·for·remote·login·and | 229 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·SSH·protocol·is·recommended·for·remote·login·and |
| 230 | remote·file·transfer.·SSH·provides·confidentiality·and·integrity | 230 | remote·file·transfer.·SSH·provides·confidentiality·and·integrity |
| 231 | for·data·exchanged·between·two·systems,·as·well·as·server | 231 | for·data·exchanged·between·two·systems,·as·well·as·server |
| 232 | authentication,·through·the·use·of·public·key·cryptography.·The | 232 | authentication,·through·the·use·of·public·key·cryptography.·The |
| 233 | implementation·included·with·the·system·is·called·OpenSSH,·and·more | 233 | implementation·included·with·the·system·is·called·OpenSSH,·and·more |
| 234 | detailed·documentation·is·available·from·its·website, | 234 | detailed·documentation·is·available·from·its·website, |
| 235 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and | 235 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and |
| 236 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 236 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 237 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 237 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 238 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 238 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 239 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 239 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 240 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 240 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 241 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31 | 241 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31839"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 242 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout | 242 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 243 | interval. | 243 | interval. |
| 244 | After·this·interval·has·passed,·the·idle·user·will·be | 244 | After·this·interval·has·passed,·the·idle·user·will·be |
| 245 | automatically·logged·out. | 245 | automatically·logged·out. |
| 246 | <br><br> | 246 | <br><br> |
| 247 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 247 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 248 | follows: | 248 | follows: |
| Offset 253, 23 lines modified | Offset 253, 23 lines modified | ||
| 253 | If·a·shorter·timeout·has·already·been·set·for·the·login | 253 | If·a·shorter·timeout·has·already·been·set·for·the·login |
| 254 | shell,·that·value·will·preempt·any·SSH | 254 | shell,·that·value·will·preempt·any·SSH |
| 255 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 255 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 256 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 256 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| Max diff block lines reached; 837803/861548 bytes (97.24%) of diff not shown. | |||
| Offset 56, 135 lines modified | Offset 56, 23 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 73 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 74 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 75 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 76 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm29980"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd) | ||
| 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to | ||
| 78 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed | ||
| 79 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not | ||
| 80 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via | ||
| 81 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. | ||
| 82 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: | ||
| 83 | ········<pre>$·sudo·chkconfig·atd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry | ||
| 84 | out·activities·outside·of·a·normal·login·session,·which·could·complicate | ||
| 85 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or | ||
| 86 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 87 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 88 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50442r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29998">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29998"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 89 | # | ||
| 90 | #·Example·Call(s): | ||
| 91 | # | ||
| 92 | #·····service_command·enable·bluetooth | ||
| 93 | #·····service_command·disable·bluetooth.service | ||
| 94 | # | ||
| 95 | #·····Using·xinetd: | ||
| 96 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 97 | # | ||
| 98 | function·service_command·{ | ||
| 99 | #·Load·function·arguments·into·local·variables | ||
| 100 | local·service_state=$1 | ||
| 101 | local·service=$2 | ||
| 102 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 103 | #·Check·sanity·of·the·input | ||
| 104 | if·[·$#·-lt·"2"·] | ||
| 105 | then | ||
| 106 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 107 | ··echo | ||
| 108 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 109 | ··echo·"as·the·last·argument"·· | ||
| 110 | ··echo·"Aborting." | ||
| 111 | ··exit·1 | ||
| 112 | fi | ||
| 113 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 114 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 115 | ··service_util="/usr/bin/systemctl" | ||
| 116 | else | ||
| 117 | ··service_util="/sbin/service" | ||
| 118 | ··chkconfig_util="/sbin/chkconfig" | ||
| 119 | fi | ||
| 120 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 121 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 122 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 123 | ··service_state="enable" | ||
| 124 | ··service_operation="start" | ||
| 125 | ··chkconfig_state="on" | ||
| 126 | else | ||
| 127 | ··service_state="disable" | ||
| 128 | ··service_operation="stop" | ||
| 129 | ··chkconfig_state="off" | ||
| 130 | fi | ||
| 131 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 132 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 133 | ··$service_util·$service·$service_operation | ||
| 134 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 135 | else | ||
| 136 | ··$service_util·$service_operation·$service | ||
| 137 | ··$service_util·$service_state·$service | ||
| 138 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 139 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 140 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 141 | ··$service_util·reset-failed·$service | ||
| 142 | fi | ||
| 143 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 144 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 145 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 146 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 147 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 148 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 149 | ··else | ||
| 150 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 151 | ··fi | ||
| 152 | fi | ||
| 153 | } | ||
| 154 | service_command·disable·atd | ||
| 155 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm30000">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30000"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd | ||
| 156 | ··service: | ||
| 157 | ····name="{{item}}" | ||
| 158 | ····enabled="no" | ||
| 159 | ····state="stopped" | ||
| 160 | ··register:·service_result | ||
| 161 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 162 | ··with_items: | ||
| 163 | ····-·atd | ||
| 164 | ··tags: | ||
| 165 | ····-·service_atd_disabled | ||
| 166 | ····-·unknown_severity | ||
| 167 | ····-·disable_strategy | ||
| 168 | ····-·low_complexity | ||
| 169 | ····-·low_disruption | ||
| 170 | ····-·CCE-27249-2 | ||
| 171 | ····-·NIST-800-53-CM-7 | ||
| 172 | ····-·DISA-STIG-RHEL-06-000262 | ||
| Max diff block lines reached; 578209/593144 bytes (97.48%) of diff not shown. | |||
| Offset 57, 52 lines modified | Offset 57, 23 lines modified | ||
| 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><[·...·truncated·by·diffoscope;·len:·661,·SHA1:·0654191da42b7edd25844a8803051c26453d234e·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 74 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 75 | parameters·from·a·server. | ||
| 76 | <br><br> | ||
| 77 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 78 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 79 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 80 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 81 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 83 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 84 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 85 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29616"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 86 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 87 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 88 | following·changes: | ||
| 89 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 90 | <pre>BOOTPROTO=none</pre> | ||
| 91 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 92 | values·based·on·your·site's·addressing·scheme: | ||
| 93 | <pre>NETMASK=255.255.255.0 | ||
| 94 | IPADDR=192.168.1.2 | ||
| 95 | GATEWAY=192.168.1.1</pre> | ||
| 96 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 97 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 98 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 99 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 100 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 101 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 102 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 103 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 74 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 104 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 75 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 105 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 76 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 106 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 77 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 107 | outside·world. | 78 | outside·world. |
| 108 | <br><br> | 79 | <br><br> |
| Offset 121, 15 lines modified | Offset 92, 15 lines modified | ||
| 121 | <br><br> | 92 | <br><br> |
| 122 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 93 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 123 | servers,·and·the·remainder·obtaining·time·information·from·those | 94 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 124 | internal·servers. | 95 | internal·servers. |
| 125 | <br><br> | 96 | <br><br> |
| 126 | More·information·on·how·to·configure·the·NTP·server·software, | 97 | More·information·on·how·to·configure·the·NTP·server·software, |
| 127 | including·configuration·of·cryptographic·authentication·for | 98 | including·configuration·of·cryptographic·authentication·for |
| 128 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 99 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29619"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 129 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 130 | ·········· | 101 | ·········· |
| 131 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 102 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 132 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 103 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 133 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 104 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 134 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 105 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 135 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 106 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 138, 15 lines modified | Offset 109, 15 lines modified | ||
| 138 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 109 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 139 | logs·and·auditing·possible·security·breaches.·· | 110 | logs·and·auditing·possible·security·breaches.·· |
| 140 | <br><br> | 111 | <br><br> |
| 141 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 112 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 142 | deprecated.··Additional·information·on·this·is·available·at· | 113 | deprecated.··Additional·information·on·this·is·available·at· |
| 143 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 114 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 144 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 115 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 145 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 116 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29636">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29636"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 146 | # | 117 | # |
| 147 | #·Example·Call(s): | 118 | #·Example·Call(s): |
| 148 | # | 119 | # |
| 149 | #·····service_command·enable·bluetooth | 120 | #·····service_command·enable·bluetooth |
| 150 | #·····service_command·disable·bluetooth.service | 121 | #·····service_command·disable·bluetooth.service |
| 151 | # | 122 | # |
| 152 | #·····Using·xinetd: | 123 | #·····Using·xinetd: |
| Offset 214, 15 lines modified | Offset 185, 15 lines modified | ||
| 214 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 185 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 215 | ··fi | 186 | ··fi |
| 216 | fi | 187 | fi |
| 217 | } | 188 | } |
| 218 | service_command·enable·ntpd | 189 | service_command·enable·ntpd |
| 219 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 190 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29638">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29638"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 220 | ··service: | 191 | ··service: |
| 221 | ····name="{{item}}" | 192 | ····name="{{item}}" |
| 222 | ····enabled="yes" | 193 | ····enabled="yes" |
| 223 | ····state="started" | 194 | ····state="started" |
| 224 | ··with_items: | 195 | ··with_items: |
| 225 | ····-·ntpd | 196 | ····-·ntpd |
| 226 | ··tags: | 197 | ··tags: |
| Offset 231, 320 lines modified | Offset 202, 25 lines modified | ||
| 231 | ····-·enable_strategy | 202 | ····-·enable_strategy |
| 232 | ····-·low_complexity | 203 | ····-·low_complexity |
| 233 | ····-·low_disruption | 204 | ····-·low_disruption |
| 234 | ····-·CCE-27093-4 | 205 | ····-·CCE-27093-4 |
| 235 | ····-·NIST-800-53-AU-8(1) | 206 | ····-·NIST-800-53-AU-8(1) |
| 236 | ····-·PCI-DSS-Req-10.4 | 207 | ····-·PCI-DSS-Req-10.4 |
| 237 | ····-·DISA-STIG-RHEL-06-000247 | 208 | ····-·DISA-STIG-RHEL-06-000247 |
| 238 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29 | 209 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29643"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 239 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 240 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 211 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 241 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 212 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 242 | <pre>server·<i>ntpserver</i></pre> | 213 | <pre>server·<i>ntpserver</i></pre> |
| 243 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 214 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 244 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 215 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 245 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 216 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 246 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 217 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 247 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 218 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 248 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 219 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 249 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 250 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 251 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 252 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 253 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm29963"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service | ||
| 254 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at | ||
| 255 | preconfigured·times.·It·is·required·by·almost·all·systems·to·perform·necessary | ||
| 256 | maintenance·tasks,·such·as·notifying·root·of·system·activity. | ||
| Max diff block lines reached; 1829058/1873862 bytes (97.61%) of diff not shown. | |||
| Offset 58, 15 lines modified | Offset 58, 15 lines modified | ||
| 58 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 58 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 59 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 59 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 60 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 60 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 61 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 61 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 62 | quality,·reliability,·or·any·other·characteristic. | 62 | quality,·reliability,·or·any·other·characteristic. |
| 63 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 63 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 64 | ····························(as·of·2018-07-26) | 64 | ····························(as·of·2018-07-26) |
| 65 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 65 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.[·...·truncated·by·diffoscope;·len:·426,·SHA1:·272d3d702e27eb16cc11a094bca0fa13fa0b2249·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 67 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 67 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 68 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 68 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 69 | ones·can·be·safely·disabled. | 69 | ones·can·be·safely·disabled. |
| 70 | <br><br> | 70 | <br><br> |
| 71 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 71 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 72 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 72 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 93, 15 lines modified | Offset 93, 15 lines modified | ||
| 93 | <br><br> | 93 | <br><br> |
| 94 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 94 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 95 | servers,·and·the·remainder·obtaining·time·information·from·those | 95 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 96 | internal·servers. | 96 | internal·servers. |
| 97 | <br><br> | 97 | <br><br> |
| 98 | More·information·on·how·to·configure·the·NTP·server·software, | 98 | More·information·on·how·to·configure·the·NTP·server·software, |
| 99 | including·configuration·of·cryptographic·authentication·for | 99 | including·configuration·of·cryptographic·authentication·for |
| 100 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 100 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29619"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 102 | ·········· | 102 | ·········· |
| 103 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 103 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 104 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 104 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 105 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 105 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 106 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 106 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 107 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 107 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 110, 15 lines modified | Offset 110, 15 lines modified | ||
| 110 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 110 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 111 | logs·and·auditing·possible·security·breaches.·· | 111 | logs·and·auditing·possible·security·breaches.·· |
| 112 | <br><br> | 112 | <br><br> |
| 113 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 113 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 114 | deprecated.··Additional·information·on·this·is·available·at· | 114 | deprecated.··Additional·information·on·this·is·available·at· |
| 115 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 115 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 116 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 116 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 117 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 117 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29636">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29636"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 118 | # | 118 | # |
| 119 | #·Example·Call(s): | 119 | #·Example·Call(s): |
| 120 | # | 120 | # |
| 121 | #·····service_command·enable·bluetooth | 121 | #·····service_command·enable·bluetooth |
| 122 | #·····service_command·disable·bluetooth.service | 122 | #·····service_command·disable·bluetooth.service |
| 123 | # | 123 | # |
| 124 | #·····Using·xinetd: | 124 | #·····Using·xinetd: |
| Offset 186, 15 lines modified | Offset 186, 15 lines modified | ||
| 186 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 186 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 187 | ··fi | 187 | ··fi |
| 188 | fi | 188 | fi |
| 189 | } | 189 | } |
| 190 | service_command·enable·ntpd | 190 | service_command·enable·ntpd |
| 191 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 191 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29638">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29638"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 192 | ··service: | 192 | ··service: |
| 193 | ····name="{{item}}" | 193 | ····name="{{item}}" |
| 194 | ····enabled="yes" | 194 | ····enabled="yes" |
| 195 | ····state="started" | 195 | ····state="started" |
| 196 | ··with_items: | 196 | ··with_items: |
| 197 | ····-·ntpd | 197 | ····-·ntpd |
| 198 | ··tags: | 198 | ··tags: |
| Offset 203, 238 lines modified | Offset 203, 25 lines modified | ||
| 203 | ····-·enable_strategy | 203 | ····-·enable_strategy |
| 204 | ····-·low_complexity | 204 | ····-·low_complexity |
| 205 | ····-·low_disruption | 205 | ····-·low_disruption |
| 206 | ····-·CCE-27093-4 | 206 | ····-·CCE-27093-4 |
| 207 | ····-·NIST-800-53-AU-8(1) | 207 | ····-·NIST-800-53-AU-8(1) |
| 208 | ····-·PCI-DSS-Req-10.4 | 208 | ····-·PCI-DSS-Req-10.4 |
| 209 | ····-·DISA-STIG-RHEL-06-000247 | 209 | ····-·DISA-STIG-RHEL-06-000247 |
| 210 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29 | 210 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29643"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 211 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 211 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 212 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 212 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 213 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 213 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 214 | <pre>server·<i>ntpserver</i></pre> | 214 | <pre>server·<i>ntpserver</i></pre> |
| 215 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 215 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 216 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 216 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 217 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 217 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 218 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 218 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 219 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 219 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 220 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 220 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 221 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 222 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 223 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 224 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 225 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm29963"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service | ||
| 226 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at | ||
| 227 | preconfigured·times.·It·is·required·by·almost·all·systems·to·perform·necessary | ||
| 228 | maintenance·tasks,·such·as·notifying·root·of·system·activity. | ||
| 229 | ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command: | ||
| 230 | ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks, | ||
| 231 | enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 232 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 233 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29973">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29973"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 234 | # | ||
| 235 | #·Example·Call(s): | ||
| 236 | # | ||
| 237 | #·····service_command·enable·bluetooth | ||
| 238 | #·····service_command·disable·bluetooth.service | ||
| 239 | # | ||
| 240 | #·····Using·xinetd: | ||
| 241 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 242 | # | ||
| 243 | function·service_command·{ | ||
| 244 | #·Load·function·arguments·into·local·variables | ||
| 245 | local·service_state=$1 | ||
| 246 | local·service=$2 | ||
| 247 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 248 | #·Check·sanity·of·the·input | ||
| 249 | if·[·$#·-lt·"2"·] | ||
| 250 | then | ||
| 251 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 252 | ··echo | ||
| 253 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 254 | ··echo·"as·the·last·argument"·· | ||
| 255 | ··echo·"Aborting." | ||
| 256 | ··exit·1 | ||
| 257 | fi | ||
| 258 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 259 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 260 | ··service_util="/usr/bin/systemctl" | ||
| 261 | else | ||
| Max diff block lines reached; 1804883/1835014 bytes (98.36%) of diff not shown. | |||
| Offset 63, 15 lines modified | Offset 63, 15 lines modified | ||
| 63 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 63 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 64 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 64 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 65 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 65 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 66 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 66 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 67 | quality,·reliability,·or·any·other·characteristic. | 67 | quality,·reliability,·or·any·other·characteristic. |
| 68 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 68 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 69 | ····························(as·of·2018-07-26) | 69 | ····························(as·of·2018-07-26) |
| 70 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 70 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href[·...·truncated·by·diffoscope;·len:·837,·SHA1:·9eb0d8fb27d69580f55a433ff04eb02c23276d4a·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 71 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 71 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 72 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 72 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 73 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 73 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 74 | ones·can·be·safely·disabled. | 74 | ones·can·be·safely·disabled. |
| 75 | <br><br> | 75 | <br><br> |
| 76 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 76 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 77 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 77 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 84, 58 lines modified | Offset 84, 29 lines modified | ||
| 84 | <br><br> | 84 | <br><br> |
| 85 | However,·there·are·some·FTP·server·configurations·which·may | 85 | However,·there·are·some·FTP·server·configurations·which·may |
| 86 | be·appropriate·for·some·environments,·particularly·those·which | 86 | be·appropriate·for·some·environments,·particularly·those·which |
| 87 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | 87 | allow·only·read-only·anonymous·access·as·a·means·of·downloading |
| 88 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | 88 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 90 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | 90 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or |
| 91 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_ | 91 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29038"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users |
| 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 93 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 94 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 95 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 96 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29062"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | 97 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> |
| 93 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | 98 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: |
| 94 | <pre>xferlog_enable=YES | 99 | <pre>xferlog_enable=YES |
| 95 | xferlog_std_format=NO | 100 | xferlog_std_format=NO |
| 96 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | 101 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to |
| 97 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | 102 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log |
| 98 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 103 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 99 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 104 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 100 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_ | 105 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 102 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 103 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 104 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 105 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 106 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 107 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 108 | parameters·from·a·server. | ||
| 109 | <br><br> | ||
| 110 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 111 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 112 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 113 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 114 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 115 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 116 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 117 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 118 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29616"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 119 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 120 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 121 | following·changes: | ||
| 122 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 123 | <pre>BOOTPROTO=none</pre> | ||
| 124 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 125 | values·based·on·your·site's·addressing·scheme: | ||
| 126 | <pre>NETMASK=255.255.255.0 | ||
| 127 | IPADDR=192.168.1.2 | ||
| 128 | GATEWAY=192.168.1.1</pre> | ||
| 129 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 130 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 131 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 132 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 133 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 134 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 135 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 106 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 136 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 107 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 137 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 108 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 138 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 109 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 139 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 110 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 140 | outside·world. | 111 | outside·world. |
| 141 | <br><br> | 112 | <br><br> |
| Offset 154, 15 lines modified | Offset 125, 15 lines modified | ||
| 154 | <br><br> | 125 | <br><br> |
| 155 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 126 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 156 | servers,·and·the·remainder·obtaining·time·information·from·those | 127 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 157 | internal·servers. | 128 | internal·servers. |
| 158 | <br><br> | 129 | <br><br> |
| 159 | More·information·on·how·to·configure·the·NTP·server·software, | 130 | More·information·on·how·to·configure·the·NTP·server·software, |
| 160 | including·configuration·of·cryptographic·authentication·for | 131 | including·configuration·of·cryptographic·authentication·for |
| 161 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 132 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29619"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 133 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 163 | ·········· | 134 | ·········· |
| 164 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 135 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 165 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 136 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 166 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 137 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 167 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 138 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 168 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 139 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 171, 15 lines modified | Offset 142, 15 lines modified | ||
| 171 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 142 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 172 | logs·and·auditing·possible·security·breaches.·· | 143 | logs·and·auditing·possible·security·breaches.·· |
| 173 | <br><br> | 144 | <br><br> |
| 174 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 145 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 175 | deprecated.··Additional·information·on·this·is·available·at· | 146 | deprecated.··Additional·information·on·this·is·available·at· |
| 176 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 147 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 177 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 148 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 178 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 149 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29636">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29636"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 179 | # | 150 | # |
| 180 | #·Example·Call(s): | 151 | #·Example·Call(s): |
| 181 | # | 152 | # |
| 182 | #·····service_command·enable·bluetooth | 153 | #·····service_command·enable·bluetooth |
| 183 | #·····service_command·disable·bluetooth.service | 154 | #·····service_command·disable·bluetooth.service |
| 184 | # | 155 | # |
| 185 | #·····Using·xinetd: | 156 | #·····Using·xinetd: |
| Offset 247, 15 lines modified | Offset 218, 15 lines modified | ||
| 247 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 218 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 248 | ··fi | 219 | ··fi |
| 249 | fi | 220 | fi |
| 250 | } | 221 | } |
| 251 | service_command·enable·ntpd | 222 | service_command·enable·ntpd |
| 252 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 223 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29638">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29638"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 253 | ··service: | 224 | ··service: |
| 254 | ····name="{{item}}" | 225 | ····name="{{item}}" |
| 255 | ····enabled="yes" | 226 | ····enabled="yes" |
| 256 | ····state="started" | 227 | ····state="started" |
| 257 | ··with_items: | 228 | ··with_items: |
| 258 | ····-·ntpd | 229 | ····-·ntpd |
| 259 | ··tags: | 230 | ··tags: |
| Max diff block lines reached; 2258028/2285546 bytes (98.80%) of diff not shown. | |||
| Offset 57, 15 lines modified | Offset 57, 15 lines modified | ||
| 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·988,·SHA1:·72fb730629963fd35d8a9f3a941a3c4bb087dd81·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 432, 198 lines modified | Offset 432, 14 lines modified | ||
| 432 | class·remove_httpd·{ | 432 | class·remove_httpd·{ |
| 433 | ··package·{·'httpd': | 433 | ··package·{·'httpd': |
| 434 | ····ensure·=>·'purged', | 434 | ····ensure·=>·'purged', |
| 435 | ··} | 435 | ··} |
| 436 | } | 436 | } |
| 437 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29183">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29183"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 437 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29183">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29183"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 438 | package·--remove=httpd | 438 | package·--remove=httpd |
| 439 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 440 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 441 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 442 | parameters·from·a·server. | ||
| 443 | <br><br> | ||
| 444 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 445 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 446 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 447 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 448 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 449 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 450 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 451 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 452 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29686"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 453 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 454 | the·dhcp·package·can·be·uninstalled. | ||
| 455 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 456 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 457 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 458 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 459 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29694">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29694"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 460 | # | ||
| 461 | #·Example·Call(s): | ||
| 462 | # | ||
| 463 | #·····package_remove·telnet-server | ||
| 464 | # | ||
| 465 | function·package_remove·{ | ||
| 466 | #·Load·function·arguments·into·local·variables | ||
| 467 | local·package="$1" | ||
| 468 | #·Check·sanity·of·the·input | ||
| 469 | if·[·$#·-ne·"1"·] | ||
| 470 | then | ||
| 471 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 472 | ··echo·"Aborting." | ||
| 473 | ··exit·1 | ||
| 474 | fi | ||
| 475 | if·which·dnf·;·then | ||
| 476 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 477 | ····dnf·remove·-y·"$package" | ||
| 478 | ··fi | ||
| 479 | elif·which·yum·;·then | ||
| 480 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 481 | ····yum·remove·-y·"$package" | ||
| 482 | ··fi | ||
| 483 | elif·which·apt-get·;·then | ||
| 484 | ··apt-get·remove·-y·"$package" | ||
| 485 | else | ||
| 486 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 487 | ··echo·"Aborting." | ||
| 488 | ··exit·1 | ||
| 489 | fi | ||
| 490 | } | ||
| 491 | package_remove·dhcp | ||
| 492 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29696">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29696"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 493 | ··package: | ||
| 494 | ····name="{{item}}" | ||
| 495 | ····state=absent | ||
| 496 | ··with_items: | ||
| 497 | ····-·dhcp | ||
| 498 | ··tags: | ||
| 499 | ····-·package_dhcp_removed | ||
| 500 | ····-·medium_severity | ||
| 501 | ····-·disable_strategy | ||
| 502 | ····-·low_complexity | ||
| 503 | ····-·low_disruption | ||
| 504 | ····-·CCE-27120-5 | ||
| 505 | ····-·NIST-800-53-CM-7 | ||
| 506 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29697">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29697"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 507 | class·remove_dhcp·{ | ||
| 508 | ··package·{·'dhcp': | ||
| 509 | ····ensure·=>·'purged', | ||
| 510 | ··} | ||
| 511 | } | ||
| 512 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29698">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29698"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 513 | package·--remove=dhcp | ||
| 514 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·id="guide-tree-leaf-idm29703"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">Disable·DHCP·Service | ||
| 515 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>dhcpd</code>·service·should·be·disabled·on | ||
| 516 | any·system·that·does·not·need·to·act·as·a·DHCP·server. | ||
| 517 | ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: | ||
| 518 | ········<pre>$·sudo·chkconfig·dhcpd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>Unmanaged·or·unintentionally·activated·DHCP·servers·may·provide·faulty·information | ||
| 519 | to·clients,·interfering·with·the·operation·of·a·legitimate·site | ||
| 520 | DHCP·server·if·there·is·one.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 521 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 522 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29712">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29712"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 523 | # | ||
| 524 | #·Example·Call(s): | ||
| 525 | # | ||
| 526 | #·····service_command·enable·bluetooth | ||
| 527 | #·····service_command·disable·bluetooth.service | ||
| 528 | # | ||
| 529 | #·····Using·xinetd: | ||
| 530 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 531 | # | ||
| 532 | function·service_command·{ | ||
| 533 | #·Load·function·arguments·into·local·variables | ||
| Max diff block lines reached; 1931615/1953396 bytes (98.88%) of diff not shown. | |||
| Offset 207, 101 lines modified | Offset 207, 101 lines modified | ||
| 207 | ····-·low_disruption | 207 | ····-·low_disruption |
| 208 | ····-·CCE-27336-7 | 208 | ····-·CCE-27336-7 |
| 209 | ····-·NIST-800-53-AC-17(8) | 209 | ····-·NIST-800-53-AC-17(8) |
| 210 | ····-·NIST-800-53-CM-7 | 210 | ····-·NIST-800-53-CM-7 |
| 211 | ····-·NIST-800-53-IA-5(1)(c) | 211 | ····-·NIST-800-53-IA-5(1)(c) |
| 212 | ····-·NIST-800-171-3.1.13 | 212 | ····-·NIST-800-171-3.1.13 |
| 213 | ····-·NIST-800-171-3.4.7 | 213 | ····-·NIST-800-171-3.4.7 |
| 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36084"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 217 | as·a·systemd·socket,·should·be·disabled. | 217 | as·a·systemd·socket,·should·be·disabled. |
| 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 219 | If·using·systemd,· | 219 | If·using·systemd,· |
| 220 | ········The·<code>r | 220 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 221 | ········<pre>$·sudo·systemctl·disable·r | 221 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 222 | means·that·data·from·the·login·session,·including·passwords·and | 222 | means·that·data·from·the·login·session,·including·passwords·and |
| 223 | all·other·information·transmitted·during·the·session,·can·be | 223 | all·other·information·transmitted·during·the·session,·can·be |
| 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 226 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 226 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36109">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36109"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 227 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 227 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 228 | # | 228 | # |
| 229 | #·Disable·r | 229 | #·Disable·rsh.socket·for·all·systemd·targets |
| 230 | # | 230 | # |
| 231 | systemctl·disable·r | 231 | systemctl·disable·rsh.socket |
| 232 | # | 232 | # |
| 233 | #·Stop·r | 233 | #·Stop·rsh.socket·if·currently·running |
| 234 | # | 234 | # |
| 235 | systemctl·stop·r | 235 | systemctl·stop·rsh.socket |
| 236 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 236 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36110">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36110"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 237 | ··service: | 237 | ··service: |
| 238 | ····name="{{item}}" | 238 | ····name="{{item}}" |
| 239 | ····enabled="no" | 239 | ····enabled="no" |
| 240 | ····state="stopped" | 240 | ····state="stopped" |
| 241 | ··register:·service_result | 241 | ··register:·service_result |
| 242 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 242 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 243 | ··with_items: | 243 | ··with_items: |
| 244 | ····-·r | 244 | ····-·rsh |
| 245 | ··tags: | 245 | ··tags: |
| 246 | ····-·service_r | 246 | ····-·service_rsh_disabled |
| 247 | ····-·high_severity | 247 | ····-·high_severity |
| 248 | ····-·disable_strategy | 248 | ····-·disable_strategy |
| 249 | ····-·low_complexity | 249 | ····-·low_complexity |
| 250 | ····-·low_disruption | 250 | ····-·low_disruption |
| 251 | ····-·CCE-27 | 251 | ····-·CCE-27337-5 |
| 252 | ····-·NIST-800-53-AC-17(8) | 252 | ····-·NIST-800-53-AC-17(8) |
| 253 | ····-·NIST-800-53-CM-7 | 253 | ····-·NIST-800-53-CM-7 |
| 254 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 254 | ····-·NIST-800-171-3.1.13 | 255 | ····-·NIST-800-171-3.1.13 |
| 255 | ····-·NIST-800-171-3.4.7 | 256 | ····-·NIST-800-171-3.4.7 |
| 256 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 257 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 257 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 258 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 258 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 259 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 259 | as·a·systemd·socket,·should·be·disabled. | 260 | as·a·systemd·socket,·should·be·disabled. |
| 260 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 261 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 261 | If·using·systemd,· | 262 | If·using·systemd,· |
| 262 | ········The·<code>r | 263 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 263 | ········<pre>$·sudo·systemctl·disable·r | 264 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 264 | means·that·data·from·the·login·session,·including·passwords·and | 265 | means·that·data·from·the·login·session,·including·passwords·and |
| 265 | all·other·information·transmitted·during·the·session,·can·be | 266 | all·other·information·transmitted·during·the·session,·can·be |
| 266 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 267 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 267 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 268 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 268 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 269 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36139">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36139"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 269 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 270 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 270 | # | 271 | # |
| 271 | #·Disable·r | 272 | #·Disable·rexec.socket·for·all·systemd·targets |
| 272 | # | 273 | # |
| 273 | systemctl·disable·r | 274 | systemctl·disable·rexec.socket |
| 274 | # | 275 | # |
| 275 | #·Stop·r | 276 | #·Stop·rexec.socket·if·currently·running |
| 276 | # | 277 | # |
| 277 | systemctl·stop·r | 278 | systemctl·stop·rexec.socket |
| 278 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 279 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36140">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36140"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 279 | ··service: | 280 | ··service: |
| 280 | ····name="{{item}}" | 281 | ····name="{{item}}" |
| 281 | ····enabled="no" | 282 | ····enabled="no" |
| 282 | ····state="stopped" | 283 | ····state="stopped" |
| 283 | ··register:·service_result | 284 | ··register:·service_result |
| 284 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 285 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 285 | ··with_items: | 286 | ··with_items: |
| 286 | ····-·r | 287 | ····-·rexec |
| 287 | ··tags: | 288 | ··tags: |
| 288 | ····-·service_r | 289 | ····-·service_rexec_disabled |
| 289 | ····-·high_severity | 290 | ····-·high_severity |
| 290 | ····-·disable_strategy | 291 | ····-·disable_strategy |
| 291 | ····-·low_complexity | 292 | ····-·low_complexity |
| 292 | ····-·low_disruption | 293 | ····-·low_disruption |
| 293 | ····-·CCE-27 | 294 | ····-·CCE-27408-4 |
| 294 | ····-·NIST-800-53-AC-17(8) | 295 | ····-·NIST-800-53-AC-17(8) |
| 295 | ····-·NIST-800-53-CM-7 | 296 | ····-·NIST-800-53-CM-7 |
| 296 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 297 | ····-·NIST-800-171-3.1.13 | 297 | ····-·NIST-800-171-3.1.13 |
| 298 | ····-·NIST-800-171-3.4.7 | 298 | ····-·NIST-800-171-3.4.7 |
| 299 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·id="guide-tree-leaf-idm36179"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files">Remove·Rsh·Trust·Files | 299 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·id="guide-tree-leaf-idm36179"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files">Remove·Rsh·Trust·Files |
| 300 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_rsh_trust_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·files·<code>/etc/hosts.equiv</code>·and·<code>~/.rhosts</code>·(in | 300 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_rsh_trust_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·files·<code>/etc/hosts.equiv</code>·and·<code>~/.rhosts</code>·(in |
| 301 | each·user's·home·directory)·list·remote·hosts·and·users·that·are·trusted·by·the | 301 | each·user's·home·directory)·list·remote·hosts·and·users·that·are·trusted·by·the |
| 302 | local·system·when·using·the·rshd·daemon. | 302 | local·system·when·using·the·rshd·daemon. |
| 303 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | 303 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any |
| Offset 733, 96 lines modified | Offset 733, 25 lines modified | ||
| 733 | ····-·NIST-800-53-AC-17(8) | 733 | ····-·NIST-800-53-AC-17(8) |
| 734 | ····-·NIST-800-53-CM-7 | 734 | ····-·NIST-800-53-CM-7 |
| 735 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 735 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 736 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 736 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 737 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 737 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 738 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 738 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 739 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 739 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 740 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 740 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36467"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 741 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_tcp_wrappers_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>When·network·services·are·using·the·<code>xinetd</code>·service,·the | ||
| 742 | <code>tcp_wrappers</code>·package·should·be·installed. | ||
| 743 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: | ||
| 744 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre></p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture | ||
| 745 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | ||
| 746 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 747 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 748 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.4.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36479">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36479"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 749 | # | ||
| 750 | #·Example·Call(s): | ||
| 751 | # | ||
| 752 | #·····package_install·aide | ||
| 753 | # | ||
| 754 | function·package_install·{ | ||
| Max diff block lines reached; 864562/889934 bytes (97.15%) of diff not shown. | |||
| Offset 1221, 15 lines modified | Offset 1221, 15 lines modified | ||
| 1221 | The·following·recommendations·describe·how·to·strengthen·the | 1221 | The·following·recommendations·describe·how·to·strengthen·the |
| 1222 | default·ruleset·configuration·file.·An·alternative·to·editing·this | 1222 | default·ruleset·configuration·file.·An·alternative·to·editing·this |
| 1223 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to | 1223 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to |
| 1224 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> | 1224 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> |
| 1225 | and·<code>/etc/firewalld/zones</code>·directories. | 1225 | and·<code>/etc/firewalld/zones</code>·directories. |
| 1226 | <br><br> | 1226 | <br><br> |
| 1227 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address | 1227 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address |
| 1228 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm4 | 1228 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm40861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">Set·Default·firewalld·Zone·for·Incoming·Packets |
| 1229 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for | 1229 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for |
| 1230 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, | 1230 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, |
| 1231 | modify·the·following·line·in | 1231 | modify·the·following·line·in |
| 1232 | <code>/etc/firewalld/firewalld.conf</code>·to·be: | 1232 | <code>/etc/firewalld/firewalld.conf</code>·to·be: |
| 1233 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all | 1233 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all |
| 1234 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the | 1234 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the |
| 1235 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. | 1235 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. |
| Offset 1294, 24 lines modified | Offset 1294, 24 lines modified | ||
| 1294 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn | 1294 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn |
| 1295 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind | 1295 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind |
| 1296 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client | 1296 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client |
| 1297 | vnc-server·wbem-https | 1297 | vnc-server·wbem-https |
| 1298 | </pre> | 1298 | </pre> |
| 1299 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld | 1299 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld |
| 1300 | service·reload,·enter·the·following·command·as·root: | 1300 | service·reload,·enter·the·following·command·as·root: |
| 1301 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm4 | 1301 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm40986"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled">Verify·firewalld·Enabled |
| 1302 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 1302 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 1303 | ·············· | 1303 | ·············· |
| 1304 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: | 1304 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: |
| 1305 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> | 1305 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> |
| 1306 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture | 1306 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture |
| 1307 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | 1307 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This |
| 1308 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1308 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1309 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1309 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1310 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1310 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41000">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41000"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 1311 | # | 1311 | # |
| 1312 | #·Example·Call(s): | 1312 | #·Example·Call(s): |
| 1313 | # | 1313 | # |
| 1314 | #·····service_command·enable·bluetooth | 1314 | #·····service_command·enable·bluetooth |
| 1315 | #·····service_command·disable·bluetooth.service | 1315 | #·····service_command·disable·bluetooth.service |
| 1316 | # | 1316 | # |
| 1317 | #·····Using·xinetd: | 1317 | #·····Using·xinetd: |
| Offset 1379, 15 lines modified | Offset 1379, 15 lines modified | ||
| 1379 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 1379 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 1380 | ··fi | 1380 | ··fi |
| 1381 | fi | 1381 | fi |
| 1382 | } | 1382 | } |
| 1383 | service_command·enable·firewalld | 1383 | service_command·enable·firewalld |
| 1384 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1384 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41002">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41002"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·firewalld |
| 1385 | ··service: | 1385 | ··service: |
| 1386 | ····name="{{item}}" | 1386 | ····name="{{item}}" |
| 1387 | ····enabled="yes" | 1387 | ····enabled="yes" |
| 1388 | ····state="started" | 1388 | ····state="started" |
| 1389 | ··with_items: | 1389 | ··with_items: |
| 1390 | ····-·firewalld | 1390 | ····-·firewalld |
| 1391 | ··tags: | 1391 | ··tags: |
| Offset 1537, 39 lines modified | Offset 1537, 41 lines modified | ||
| 1537 | ····-·NIST-800-53-AC-4 | 1537 | ····-·NIST-800-53-AC-4 |
| 1538 | ····-·NIST-800-53-CM-7 | 1538 | ····-·NIST-800-53-CM-7 |
| 1539 | ····-·NIST-800-53-SC-5 | 1539 | ····-·NIST-800-53-SC-5 |
| 1540 | ····-·NIST-800-53-SC-7 | 1540 | ····-·NIST-800-53-SC-7 |
| 1541 | ····-·NIST-800-171-3.1.20 | 1541 | ····-·NIST-800-171-3.1.20 |
| 1542 | ····-·CJIS-5.10.1.1 | 1542 | ····-·CJIS-5.10.1.1 |
| 1543 | ····-·DISA-STIG-RHEL-07-040620 | 1543 | ····-·DISA-STIG-RHEL-07-040620 |
| 1544 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ | 1544 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects"·id="guide-tree-leaf-idm41509"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network_host_and_router_parameters"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects">Configure·Kernel·Parameter·for·Accepting·ICMP·Redirects·By·Default |
| 1545 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ | 1545 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 1546 | ·············· | 1546 | ·············· |
| 1547 | ····To·set·the·runtime·status·of·the·<code>net.ipv4. | 1547 | ····To·set·the·runtime·status·of·the·<code>net.ipv4.conf.default.accept_redirects</code>·kernel·parameter, |
| 1548 | ····run·the·following·command: | 1548 | ····run·the·following·command: |
| 1549 | ····<pre·xml:space="preserve">$·sudo·sysctl·-w·net.ipv4. | 1549 | ····<pre·xml:space="preserve">$·sudo·sysctl·-w·net.ipv4.conf.default.accept_redirects=0</pre> |
| 1550 | ····If·this·is·not·the·system's·default·value,·add·the·following·line·to·<code>/etc/sysctl.conf</code>: | 1550 | ····If·this·is·not·the·system's·default·value,·add·the·following·line·to·<code>/etc/sysctl.conf</code>: |
| 1551 | ····<pre·xml:space="preserve">net.ipv4. | 1551 | ····<pre·xml:space="preserve">net.ipv4.conf.default.accept_redirects·=·0</pre> |
| 1552 | ············</p><span·class="label·label-primary">Rationale:</span><p> | 1552 | ············</p><span·class="label·label-primary">Rationale:</span><p>ICMP·redirect·messages·are·used·by·routers·to·inform·hosts·that·a·more·direct |
| 1553 | 1553 | route·exists·for·a·particular·destination.·These·messages·modify·the·host's·route·table | |
| 1554 | and·are·unauthenticated.·An·illicit·ICMP·redirect·message·could·result·in·a·man-in-the-middle | ||
| 1555 | attack. | ||
| 1554 | <br> | 1556 | <br> |
| 1555 | 1557 | This·feature·of·the·IPv4·protocol·has·few·legitimate·uses.·It·should·be·disabled·unless· | |
| 1556 | a | 1558 | absolutely·required.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1557 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1559 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1558 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-8691 | 1560 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86913r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.2</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41528">(show)</a><br></br><[·...·truncated·by·diffoscope;·len:·48,·SHA1:·299de186c47113a10f411fbcc98fc5fa85cbd485·...·]"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 1559 | sysctl_net_ipv4_ | 1561 | sysctl_net_ipv4_conf_default_accept_redirects_value="<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value">(N/A)</abbr>" |
| 1560 | # | 1562 | # |
| 1561 | #·Set·runtime·for·net.ipv4. | 1563 | #·Set·runtime·for·net.ipv4.conf.default.accept_redirects |
| 1562 | # | 1564 | # |
| 1563 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 1565 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf.default.accept_redirects=$sysctl_net_ipv4_conf_default_accept_redirects_value |
| 1564 | # | 1566 | # |
| 1565 | #·If·net.ipv4. | 1567 | #·If·net.ipv4.conf.default.accept_redirects·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1566 | #» else,·add·"net.ipv4. | 1568 | #» else,·add·"net.ipv4.conf.default.accept_redirects·=·value"·to·/etc/sysctl.conf |
| 1567 | # | 1569 | # |
| 1568 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1570 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1569 | #·it·does·not·exist. | 1571 | #·it·does·not·exist. |
| 1570 | # | 1572 | # |
| 1571 | #·Expects·arguments: | 1573 | #·Expects·arguments: |
| 1572 | # | 1574 | # |
| 1573 | #·config_file:» » Configuration·file·that·will·be·modified | 1575 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1641, 67 lines modified | Offset 1643, 68 lines modified | ||
| 1641 | ··else | 1643 | ··else |
| 1642 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1644 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1643 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1645 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1644 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1646 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1645 | ··fi | 1647 | ··fi |
| 1646 | } | 1648 | } |
| 1647 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4. | 1649 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_redirects'·"$sysctl_net_ipv4_conf_default_accept_redirects_value"·'CCE-80163-9' |
| 1648 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm415 | 1650 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41531">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41531"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·XCCDF·Value·sysctl_net_ipv4_conf_default_accept_redirects_value·#·promote·to·variable |
| 1649 | ··set_fact: | 1651 | ··set_fact: |
| 1650 | ····sysctl_net_ipv4_ | 1652 | ····sysctl_net_ipv4_conf_default_accept_redirects_value:·<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value">(N/A)</abbr> |
| 1651 | ··tags: | 1653 | ··tags: |
| 1652 | ····-·always | 1654 | ····-·always |
| 1653 | -·name:·Ensure·sysctl·net.ipv4. | 1655 | -·name:·Ensure·sysctl·net.ipv4.conf.default.accept_redirects·is·set |
| 1654 | ··sysctl: | 1656 | ··sysctl: |
| 1655 | ····name:·net.ipv4. | 1657 | ····name:·net.ipv4.conf.default.accept_redirects |
| 1656 | ····value:·"{{·sysctl_net_ipv4_ | 1658 | ····value:·"{{·sysctl_net_ipv4_conf_default_accept_redirects_value·}}" |
| 1657 | ····state:·present | 1659 | ····state:·present |
| 1658 | ····reload:·yes | 1660 | ····reload:·yes |
| 1659 | ··tags: | 1661 | ··tags: |
| 1660 | ····-·sysctl_net_ipv4_ | 1662 | ····-·sysctl_net_ipv4_conf_default_accept_redirects |
| 1661 | ····-·medium_severity | 1663 | ····-·medium_severity |
| 1662 | ····-·disable_strategy | 1664 | ····-·disable_strategy |
| 1663 | ····-·low_complexity | 1665 | ····-·low_complexity |
| 1664 | ····-·medium_disruption | 1666 | ····-·medium_disruption |
| 1665 | ····-·CCE-8016 | 1667 | ····-·CCE-80163-9 |
| 1666 | ····-·NIST-800-53-AC-4 | 1668 | ····-·NIST-800-53-AC-4 |
| Max diff block lines reached; 471579/491388 bytes (95.97%) of diff not shown. | |||
| Offset 204, 15 lines modified | Offset 204, 39 lines modified | ||
| 204 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_quagga">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Quagga·was·installed·and·activated,·but·the·system | 204 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_quagga">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Quagga·was·installed·and·activated,·but·the·system |
| 205 | does·not·need·to·act·as·a·router,·then·it·should·be·disabled | 205 | does·not·need·to·act·as·a·router,·then·it·should·be·disabled |
| 206 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_quagga"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_routing"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server | 206 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_quagga"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_routing"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server |
| 207 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at | 207 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at |
| 208 | least·one·nameserver.·However,·there·are·many·common·attacks | 208 | least·one·nameserver.·However,·there·are·many·common·attacks |
| 209 | involving·DNS·server·software,·and·this·server·software·should | 209 | involving·DNS·server·software,·and·this·server·software·should |
| 210 | be·disabled·on·any·system | 210 | be·disabled·on·any·system |
| 211 | on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_ | 211 | on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_isolation">Isolate·DNS·from·Other·Services |
| 212 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server | ||
| 213 | from·interfering·with·other·services.·This·is·done·both·to·protect·the | ||
| 214 | remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct | ||
| 215 | attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail | ||
| 216 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package: | ||
| 217 | <pre>$·sudo·yum·install·bind-chroot</pre> | ||
| 218 | Place·a·valid·named.conf·file·inside·the·chroot·jail: | ||
| 219 | <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf | ||
| 220 | $·sudo·chown·root:root·/var/named/chroot/etc/named.conf | ||
| 221 | $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre> | ||
| 222 | Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the | ||
| 223 | options·directive.·If·your·<code>named.conf</code>·includes: | ||
| 224 | <pre>options·{ | ||
| 225 | directory·"/path/to/DIRNAME·"; | ||
| 226 | ... | ||
| 227 | }</pre> | ||
| 228 | then·copy·that·directory·and·its·contents·from·the·original·zone·directory: | ||
| 229 | <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre> | ||
| 230 | Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>: | ||
| 231 | <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers | ||
| 232 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is | ||
| 233 | a·high-risk·service·which·must·frequently·be·made·available·to·the·entire | ||
| 234 | Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by | ||
| 235 | systems·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_protection">Protect·DNS·Data·from·Tampering·or·Attack | ||
| 212 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_protection">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·DNS·configuration·options·which·make·it | 236 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_protection">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·DNS·configuration·options·which·make·it |
| 213 | more·difficult·for·attackers·to·gain·access·to·private·DNS·data·or·to·modify | 237 | more·difficult·for·attackers·to·gain·access·to·private·DNS·data·or·to·modify |
| 214 | DNS·data.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">Run·Separate·DNS·Servers·for·External·and·Internal·Queries | 238 | DNS·data.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">Run·Separate·DNS·Servers·for·External·and·Internal·Queries |
| 215 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Is·it·possible·to·run·external·and·internal·nameservers·on | 239 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Is·it·possible·to·run·external·and·internal·nameservers·on |
| 216 | separate·systems?·If·so,·follow·the·configuration·guidance·in·this·section.·On | 240 | separate·systems?·If·so,·follow·the·configuration·guidance·in·this·section.·On |
| 217 | the·external·nameserver,·edit·<code>/etc/named.conf</code>·to·add·or·correct·the | 241 | the·external·nameserver,·edit·<code>/etc/named.conf</code>·to·add·or·correct·the |
| 218 | following·directives: | 242 | following·directives: |
| Offset 260, 39 lines modified | Offset 284, 15 lines modified | ||
| 260 | view·"external-view"·{ | 284 | view·"external-view"·{ |
| 261 | ··match-clients·{·any;·}; | 285 | ··match-clients·{·any;·}; |
| 262 | ··recursion·no; | 286 | ··recursion·no; |
| 263 | ··zone·"example.com·"·IN·{ | 287 | ··zone·"example.com·"·IN·{ |
| 264 | ····... | 288 | ····... |
| 265 | ··}; | 289 | ··}; |
| 266 | };</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_partition_with_views"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_d | 290 | };</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_partition_with_views"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dns_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dns_server">Disable·DNS·Server |
| 267 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server | ||
| 268 | from·interfering·with·other·services.·This·is·done·both·to·protect·the | ||
| 269 | remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct | ||
| 270 | attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail | ||
| 271 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package: | ||
| 272 | <pre>$·sudo·yum·install·bind-chroot</pre> | ||
| 273 | Place·a·valid·named.conf·file·inside·the·chroot·jail: | ||
| 274 | <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf | ||
| 275 | $·sudo·chown·root:root·/var/named/chroot/etc/named.conf | ||
| 276 | $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre> | ||
| 277 | Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the | ||
| 278 | options·directive.·If·your·<code>named.conf</code>·includes: | ||
| 279 | <pre>options·{ | ||
| 280 | directory·"/path/to/DIRNAME·"; | ||
| 281 | ... | ||
| 282 | }</pre> | ||
| 283 | then·copy·that·directory·and·its·contents·from·the·original·zone·directory: | ||
| 284 | <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre> | ||
| 285 | Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>: | ||
| 286 | <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers | ||
| 287 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is | ||
| 288 | a·high-risk·service·which·must·frequently·be·made·available·to·the·entire | ||
| 289 | Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by | ||
| 290 | systems·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dns_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dns_server">Disable·DNS·Server | ||
| 291 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dns_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DNS·software·should·be·disabled·on·any·systems·which·does·not | 291 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dns_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DNS·software·should·be·disabled·on·any·systems·which·does·not |
| 292 | need·to·be·a·nameserver.·Note·that·the·BIND·DNS·server·software·is | 292 | need·to·be·a·nameserver.·Note·that·the·BIND·DNS·server·software·is |
| 293 | not·installed·on·Red·Hat·Enterprise·Linux·7·by·default.·The·remainder·of·this·section | 293 | not·installed·on·Red·Hat·Enterprise·Linux·7·by·default.·The·remainder·of·this·section |
| 294 | discusses·secure·configuration·of·systems·which·must·be | 294 | discusses·secure·configuration·of·systems·which·must·be |
| 295 | nameservers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ldap">LDAP | 295 | nameservers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ldap">LDAP |
| 296 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>LDAP·is·a·popular·directory·service,·that·is,·a | 296 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>LDAP·is·a·popular·directory·service,·that·is,·a |
| 297 | standardized·way·of·looking·up·information·from·a·central·database. | 297 | standardized·way·of·looking·up·information·from·a·central·database. |
| Offset 1076, 30 lines modified | Offset 1076, 30 lines modified | ||
| 1076 | include·setuid·programs·may·provide·local·attackers·a·potential·path·to | 1076 | include·setuid·programs·may·provide·local·attackers·a·potential·path·to |
| 1077 | privilege·escalation.·Packages·that·include·network·services·may·give | 1077 | privilege·escalation.·Packages·that·include·network·services·may·give |
| 1078 | this·opportunity·to·network-based·attackers.·Packages·that·include | 1078 | this·opportunity·to·network-based·attackers.·Packages·that·include |
| 1079 | programs·which·are·predictably·executed·by·local·users·(e.g.·after | 1079 | programs·which·are·predictably·executed·by·local·users·(e.g.·after |
| 1080 | graphical·login)·may·provide·opportunities·for·trojan·horses·or·other | 1080 | graphical·login)·may·provide·opportunities·for·trojan·horses·or·other |
| 1081 | attack·code·to·be·run·undetected.·The·number·of·software·packages | 1081 | attack·code·to·be·run·undetected.·The·number·of·software·packages |
| 1082 | installed·on·a·system·can·almost·always·be·significantly·pruned·to·include | 1082 | installed·on·a·system·can·almost·always·be·significantly·pruned·to·include |
| 1083 | only·the·software·for·which·there·is·an·environmental·or·operational·need.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-minimize-software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle- | 1083 | only·the·software·for·which·there·is·an·environmental·or·operational·need.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-minimize-software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-least-privilege"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-least-privilege">Least·Privilege |
| 1084 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-use-security-tools">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Several·tools·exist·which·can·be·effectively·used·to·improve·a·system's | ||
| 1085 | resistance·to·and·detection·of·unknown·attacks.·These·tools·can·improve | ||
| 1086 | robustness·against·attack·at·the·cost·of·relatively·little·configuration | ||
| 1087 | effort.·In·particular,·this·guide·recommends·and·discusses·the·use·of | ||
| 1088 | host-based·firewalling,·SELinux·for·protection·against | ||
| 1089 | vulnerable·services,·and·a·logging·and·auditing·infrastructure·for | ||
| 1090 | detection·of·problems.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-use-security-tools"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-least-privilege"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-least-privilege">Least·Privilege | ||
| 1091 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-least-privilege">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Grant·the·least·privilege·necessary·for·user·accounts·and·software·to·perform·tasks. | 1084 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-least-privilege">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Grant·the·least·privilege·necessary·for·user·accounts·and·software·to·perform·tasks. |
| 1092 | For·example,·<code>sudo</code>·can·be·implemented·to·limit·authorization·to·super·user | 1085 | For·example,·<code>sudo</code>·can·be·implemented·to·limit·authorization·to·super·user |
| 1093 | accounts·on·the·system·only·to·designated·personnel.·Another·example·is·to·limit | 1086 | accounts·on·the·system·only·to·designated·personnel.·Another·example·is·to·limit |
| 1094 | logins·on·server·systems·to·only·those·administrators·who·need·to·log·into·them·in | 1087 | logins·on·server·systems·to·only·those·administrators·who·need·to·log·into·them·in |
| 1095 | order·to·perform·administration·tasks.·Using·SELinux·also·follows·the·principle·of | 1088 | order·to·perform·administration·tasks.·Using·SELinux·also·follows·the·principle·of |
| 1096 | least·privilege:·SELinux·policy·can·confine·software·to·perform·only·actions·on·the | 1089 | least·privilege:·SELinux·policy·can·confine·software·to·perform·only·actions·on·the |
| 1097 | system·that·are·specifically·allowed.·This·can·be·far·more·restrictive·than·the | 1090 | system·that·are·specifically·allowed.·This·can·be·far·more·restrictive·than·the |
| 1098 | actions·permissible·by·the·traditional·Unix·permissions·model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-se | 1091 | actions·permissible·by·the·traditional·Unix·permissions·model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-use-security-tools"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-use-security-tools"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-use-security-tools">Configure·Security·Tools·to·Improve·System·Robustness |
| 1092 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-use-security-tools">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Several·tools·exist·which·can·be·effectively·used·to·improve·a·system's | ||
| 1093 | resistance·to·and·detection·of·unknown·attacks.·These·tools·can·improve | ||
| 1094 | robustness·against·attack·at·the·cost·of·relatively·little·configuration | ||
| 1095 | effort.·In·particular,·this·guide·recommends·and·discusses·the·use·of | ||
| 1096 | host-based·firewalling,·SELinux·for·protection·against | ||
| 1097 | vulnerable·services,·and·a·logging·and·auditing·infrastructure·for | ||
| 1098 | detection·of·problems.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-use-security-tools"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-separate-servers"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-separate-servers"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-separate-servers">Run·Different·Network·Services·on·Separate·Systems | ||
| 1099 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-separate-servers">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Whenever·possible,·a·server·should·be·dedicated·to·serving·exactly·one | 1099 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-separate-servers">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Whenever·possible,·a·server·should·be·dedicated·to·serving·exactly·one |
| 1100 | network·service.·This·limits·the·number·of·other·services·that·can | 1100 | network·service.·This·limits·the·number·of·other·services·that·can |
| 1101 | be·compromised·in·the·event·that·an·attacker·is·able·to·successfully | 1101 | be·compromised·in·the·event·that·an·attacker·is·able·to·successfully |
| 1102 | exploit·a·software·flaw·in·one·network·service.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-separate-servers"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">Encrypt·Transmitted·Data·Whenever·Possible | 1102 | exploit·a·software·flaw·in·one·network·service.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-separate-servers"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">Encrypt·Transmitted·Data·Whenever·Possible |
| 1103 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Data·transmitted·over·a·network,·whether·wired·or·wireless,·is·susceptible | 1103 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Data·transmitted·over·a·network,·whether·wired·or·wireless,·is·susceptible |
| 1104 | to·passive·monitoring.·Whenever·practical·solutions·for·encrypting | 1104 | to·passive·monitoring.·Whenever·practical·solutions·for·encrypting |
| 1105 | such·data·exist,·they·should·be·applied.·Even·if·data·is·expected·to | 1105 | such·data·exist,·they·should·be·applied.·Even·if·data·is·expected·to |
| Offset 1164, 15 lines modified | Offset 1164, 35 lines modified | ||
| 1164 | especially·in·periods·of·high·traffic·which·may·be·the·result·of·an | 1164 | especially·in·periods·of·high·traffic·which·may·be·the·result·of·an |
| 1165 | attack.·In·addition,·remote·<code>rsyslog</code>·messages·are·not | 1165 | attack.·In·addition,·remote·<code>rsyslog</code>·messages·are·not |
| 1166 | authenticated·in·any·way·by·default,·so·it·is·easy·for·an·attacker·to | 1166 | authenticated·in·any·way·by·default,·so·it·is·easy·for·an·attacker·to |
| 1167 | introduce·spurious·messages·to·the·central·log·server.·Also,·some | 1167 | introduce·spurious·messages·to·the·central·log·server.·Also,·some |
| 1168 | problems·cause·loss·of·network·connectivity,·which·will·prevent·the | 1168 | problems·cause·loss·of·network·connectivity,·which·will·prevent·the |
| 1169 | sending·of·messages·to·the·central·server.·For·all·of·these·reasons,·it·is | 1169 | sending·of·messages·to·the·central·server.·For·all·of·these·reasons,·it·is |
| 1170 | better·to·store·log·messages·both·centrally·and·on·each·host,·so | 1170 | better·to·store·log·messages·both·centrally·and·on·each·host,·so |
| 1171 | that·they·can·be·correlated·if·necessary.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_sending_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 1171 | that·they·can·be·correlated·if·necessary.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_sending_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_log_rotation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_log_rotation">Ensure·All·Logs·are·Rotated·by·<tt>logrotate</tt> |
| 1172 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_log_rotation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Edit·the·file·<code>/etc/logrotate.d/syslog</code>.·Find·the·first | ||
| Max diff block lines reached; 51591/77709 bytes (66.39%) of diff not shown. | |||
| Offset 205, 101 lines modified | Offset 205, 101 lines modified | ||
| 205 | ····-·low_disruption | 205 | ····-·low_disruption |
| 206 | ····-·CCE-27336-7 | 206 | ····-·CCE-27336-7 |
| 207 | ····-·NIST-800-53-AC-17(8) | 207 | ····-·NIST-800-53-AC-17(8) |
| 208 | ····-·NIST-800-53-CM-7 | 208 | ····-·NIST-800-53-CM-7 |
| 209 | ····-·NIST-800-53-IA-5(1)(c) | 209 | ····-·NIST-800-53-IA-5(1)(c) |
| 210 | ····-·NIST-800-171-3.1.13 | 210 | ····-·NIST-800-171-3.1.13 |
| 211 | ····-·NIST-800-171-3.4.7 | 211 | ····-·NIST-800-171-3.4.7 |
| 212 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 212 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36084"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 214 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 214 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 215 | as·a·systemd·socket,·should·be·disabled. | 215 | as·a·systemd·socket,·should·be·disabled. |
| 216 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 216 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 217 | If·using·systemd,· | 217 | If·using·systemd,· |
| 218 | ········The·<code>r | 218 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 219 | ········<pre>$·sudo·systemctl·disable·r | 219 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 220 | means·that·data·from·the·login·session,·including·passwords·and | 220 | means·that·data·from·the·login·session,·including·passwords·and |
| 221 | all·other·information·transmitted·during·the·session,·can·be | 221 | all·other·information·transmitted·during·the·session,·can·be |
| 222 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 222 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 223 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 223 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 224 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 224 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36109">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36109"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 225 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 225 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 226 | # | 226 | # |
| 227 | #·Disable·r | 227 | #·Disable·rsh.socket·for·all·systemd·targets |
| 228 | # | 228 | # |
| 229 | systemctl·disable·r | 229 | systemctl·disable·rsh.socket |
| 230 | # | 230 | # |
| 231 | #·Stop·r | 231 | #·Stop·rsh.socket·if·currently·running |
| 232 | # | 232 | # |
| 233 | systemctl·stop·r | 233 | systemctl·stop·rsh.socket |
| 234 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 234 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36110">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36110"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 235 | ··service: | 235 | ··service: |
| 236 | ····name="{{item}}" | 236 | ····name="{{item}}" |
| 237 | ····enabled="no" | 237 | ····enabled="no" |
| 238 | ····state="stopped" | 238 | ····state="stopped" |
| 239 | ··register:·service_result | 239 | ··register:·service_result |
| 240 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 240 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 241 | ··with_items: | 241 | ··with_items: |
| 242 | ····-·r | 242 | ····-·rsh |
| 243 | ··tags: | 243 | ··tags: |
| 244 | ····-·service_r | 244 | ····-·service_rsh_disabled |
| 245 | ····-·high_severity | 245 | ····-·high_severity |
| 246 | ····-·disable_strategy | 246 | ····-·disable_strategy |
| 247 | ····-·low_complexity | 247 | ····-·low_complexity |
| 248 | ····-·low_disruption | 248 | ····-·low_disruption |
| 249 | ····-·CCE-27 | 249 | ····-·CCE-27337-5 |
| 250 | ····-·NIST-800-53-AC-17(8) | 250 | ····-·NIST-800-53-AC-17(8) |
| 251 | ····-·NIST-800-53-CM-7 | 251 | ····-·NIST-800-53-CM-7 |
| 252 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 252 | ····-·NIST-800-171-3.1.13 | 253 | ····-·NIST-800-171-3.1.13 |
| 253 | ····-·NIST-800-171-3.4.7 | 254 | ····-·NIST-800-171-3.4.7 |
| 254 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 255 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 255 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 256 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 256 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 257 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 257 | as·a·systemd·socket,·should·be·disabled. | 258 | as·a·systemd·socket,·should·be·disabled. |
| 258 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 259 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 259 | If·using·systemd,· | 260 | If·using·systemd,· |
| 260 | ········The·<code>r | 261 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 261 | ········<pre>$·sudo·systemctl·disable·r | 262 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 262 | means·that·data·from·the·login·session,·including·passwords·and | 263 | means·that·data·from·the·login·session,·including·passwords·and |
| 263 | all·other·information·transmitted·during·the·session,·can·be | 264 | all·other·information·transmitted·during·the·session,·can·be |
| 264 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 265 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 265 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 266 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 266 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 267 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36139">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36139"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 267 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 268 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 268 | # | 269 | # |
| 269 | #·Disable·r | 270 | #·Disable·rexec.socket·for·all·systemd·targets |
| 270 | # | 271 | # |
| 271 | systemctl·disable·r | 272 | systemctl·disable·rexec.socket |
| 272 | # | 273 | # |
| 273 | #·Stop·r | 274 | #·Stop·rexec.socket·if·currently·running |
| 274 | # | 275 | # |
| 275 | systemctl·stop·r | 276 | systemctl·stop·rexec.socket |
| 276 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 277 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36140">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36140"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 277 | ··service: | 278 | ··service: |
| 278 | ····name="{{item}}" | 279 | ····name="{{item}}" |
| 279 | ····enabled="no" | 280 | ····enabled="no" |
| 280 | ····state="stopped" | 281 | ····state="stopped" |
| 281 | ··register:·service_result | 282 | ··register:·service_result |
| 282 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 283 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 283 | ··with_items: | 284 | ··with_items: |
| 284 | ····-·r | 285 | ····-·rexec |
| 285 | ··tags: | 286 | ··tags: |
| 286 | ····-·service_r | 287 | ····-·service_rexec_disabled |
| 287 | ····-·high_severity | 288 | ····-·high_severity |
| 288 | ····-·disable_strategy | 289 | ····-·disable_strategy |
| 289 | ····-·low_complexity | 290 | ····-·low_complexity |
| 290 | ····-·low_disruption | 291 | ····-·low_disruption |
| 291 | ····-·CCE-27 | 292 | ····-·CCE-27408-4 |
| 292 | ····-·NIST-800-53-AC-17(8) | 293 | ····-·NIST-800-53-AC-17(8) |
| 293 | ····-·NIST-800-53-CM-7 | 294 | ····-·NIST-800-53-CM-7 |
| 294 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 295 | ····-·NIST-800-171-3.1.13 | 295 | ····-·NIST-800-171-3.1.13 |
| 296 | ····-·NIST-800-171-3.4.7 | 296 | ····-·NIST-800-171-3.4.7 |
| 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36145"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36145"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 299 | the·following·command: | 299 | the·following·command: |
| 300 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 300 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 301 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 301 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| Offset 876, 25 lines modified | Offset 876, 25 lines modified | ||
| 876 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36374">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36374"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 876 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36374">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36374"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 877 | package·--remove=ypserv | 877 | package·--remove=ypserv |
| 878 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 878 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 879 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 879 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 880 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 880 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 881 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 881 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 882 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 882 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 883 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm364 | 883 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36467"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 884 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 884 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 885 | ············ | 885 | ············ |
| 886 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | 886 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 887 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | 887 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 888 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | 888 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, |
| 889 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | 889 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling |
| 890 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | 890 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents |
| 891 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 891 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 892 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 892 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 893 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 893 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36484">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36484"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 894 | # | 894 | # |
| 895 | #·Example·Call(s): | 895 | #·Example·Call(s): |
| 896 | # | 896 | # |
| 897 | #·····service_command·enable·bluetooth | 897 | #·····service_command·enable·bluetooth |
| 898 | #·····service_command·disable·bluetooth.service | 898 | #·····service_command·disable·bluetooth.service |
| 899 | # | 899 | # |
| Max diff block lines reached; 709741/735215 bytes (96.54%) of diff not shown. | |||
| Offset 213, 101 lines modified | Offset 213, 101 lines modified | ||
| 213 | ····-·low_disruption | 213 | ····-·low_disruption |
| 214 | ····-·CCE-27336-7 | 214 | ····-·CCE-27336-7 |
| 215 | ····-·NIST-800-53-AC-17(8) | 215 | ····-·NIST-800-53-AC-17(8) |
| 216 | ····-·NIST-800-53-CM-7 | 216 | ····-·NIST-800-53-CM-7 |
| 217 | ····-·NIST-800-53-IA-5(1)(c) | 217 | ····-·NIST-800-53-IA-5(1)(c) |
| 218 | ····-·NIST-800-171-3.1.13 | 218 | ····-·NIST-800-171-3.1.13 |
| 219 | ····-·NIST-800-171-3.4.7 | 219 | ····-·NIST-800-171-3.4.7 |
| 220 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 220 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36084"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 221 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 221 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 222 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 222 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 223 | as·a·systemd·socket,·should·be·disabled. | 223 | as·a·systemd·socket,·should·be·disabled. |
| 224 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 224 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 225 | If·using·systemd,· | 225 | If·using·systemd,· |
| 226 | ········The·<code>r | 226 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 227 | ········<pre>$·sudo·systemctl·disable·r | 227 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 228 | means·that·data·from·the·login·session,·including·passwords·and | 228 | means·that·data·from·the·login·session,·including·passwords·and |
| 229 | all·other·information·transmitted·during·the·session,·can·be | 229 | all·other·information·transmitted·during·the·session,·can·be |
| 230 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 230 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 231 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 231 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 232 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 232 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36109">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36109"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 233 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 233 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 234 | # | 234 | # |
| 235 | #·Disable·r | 235 | #·Disable·rsh.socket·for·all·systemd·targets |
| 236 | # | 236 | # |
| 237 | systemctl·disable·r | 237 | systemctl·disable·rsh.socket |
| 238 | # | 238 | # |
| 239 | #·Stop·r | 239 | #·Stop·rsh.socket·if·currently·running |
| 240 | # | 240 | # |
| 241 | systemctl·stop·r | 241 | systemctl·stop·rsh.socket |
| 242 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 242 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36110">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36110"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 243 | ··service: | 243 | ··service: |
| 244 | ····name="{{item}}" | 244 | ····name="{{item}}" |
| 245 | ····enabled="no" | 245 | ····enabled="no" |
| 246 | ····state="stopped" | 246 | ····state="stopped" |
| 247 | ··register:·service_result | 247 | ··register:·service_result |
| 248 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 248 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 249 | ··with_items: | 249 | ··with_items: |
| 250 | ····-·r | 250 | ····-·rsh |
| 251 | ··tags: | 251 | ··tags: |
| 252 | ····-·service_r | 252 | ····-·service_rsh_disabled |
| 253 | ····-·high_severity | 253 | ····-·high_severity |
| 254 | ····-·disable_strategy | 254 | ····-·disable_strategy |
| 255 | ····-·low_complexity | 255 | ····-·low_complexity |
| 256 | ····-·low_disruption | 256 | ····-·low_disruption |
| 257 | ····-·CCE-27 | 257 | ····-·CCE-27337-5 |
| 258 | ····-·NIST-800-53-AC-17(8) | 258 | ····-·NIST-800-53-AC-17(8) |
| 259 | ····-·NIST-800-53-CM-7 | 259 | ····-·NIST-800-53-CM-7 |
| 260 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 260 | ····-·NIST-800-171-3.1.13 | 261 | ····-·NIST-800-171-3.1.13 |
| 261 | ····-·NIST-800-171-3.4.7 | 262 | ····-·NIST-800-171-3.4.7 |
| 262 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 263 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 263 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 264 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 264 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 265 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 265 | as·a·systemd·socket,·should·be·disabled. | 266 | as·a·systemd·socket,·should·be·disabled. |
| 266 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 267 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 267 | If·using·systemd,· | 268 | If·using·systemd,· |
| 268 | ········The·<code>r | 269 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 269 | ········<pre>$·sudo·systemctl·disable·r | 270 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 270 | means·that·data·from·the·login·session,·including·passwords·and | 271 | means·that·data·from·the·login·session,·including·passwords·and |
| 271 | all·other·information·transmitted·during·the·session,·can·be | 272 | all·other·information·transmitted·during·the·session,·can·be |
| 272 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 273 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 273 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 274 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 274 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 275 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36139">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36139"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 275 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 276 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 276 | # | 277 | # |
| 277 | #·Disable·r | 278 | #·Disable·rexec.socket·for·all·systemd·targets |
| 278 | # | 279 | # |
| 279 | systemctl·disable·r | 280 | systemctl·disable·rexec.socket |
| 280 | # | 281 | # |
| 281 | #·Stop·r | 282 | #·Stop·rexec.socket·if·currently·running |
| 282 | # | 283 | # |
| 283 | systemctl·stop·r | 284 | systemctl·stop·rexec.socket |
| 284 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 285 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36140">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36140"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 285 | ··service: | 286 | ··service: |
| 286 | ····name="{{item}}" | 287 | ····name="{{item}}" |
| 287 | ····enabled="no" | 288 | ····enabled="no" |
| 288 | ····state="stopped" | 289 | ····state="stopped" |
| 289 | ··register:·service_result | 290 | ··register:·service_result |
| 290 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 291 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 291 | ··with_items: | 292 | ··with_items: |
| 292 | ····-·r | 293 | ····-·rexec |
| 293 | ··tags: | 294 | ··tags: |
| 294 | ····-·service_r | 295 | ····-·service_rexec_disabled |
| 295 | ····-·high_severity | 296 | ····-·high_severity |
| 296 | ····-·disable_strategy | 297 | ····-·disable_strategy |
| 297 | ····-·low_complexity | 298 | ····-·low_complexity |
| 298 | ····-·low_disruption | 299 | ····-·low_disruption |
| 299 | ····-·CCE-27 | 300 | ····-·CCE-27408-4 |
| 300 | ····-·NIST-800-53-AC-17(8) | 301 | ····-·NIST-800-53-AC-17(8) |
| 301 | ····-·NIST-800-53-CM-7 | 302 | ····-·NIST-800-53-CM-7 |
| 302 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 303 | ····-·NIST-800-171-3.1.13 | 303 | ····-·NIST-800-171-3.1.13 |
| 304 | ····-·NIST-800-171-3.4.7 | 304 | ····-·NIST-800-171-3.4.7 |
| 305 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36145"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 305 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36145"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 306 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 306 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 307 | the·following·command: | 307 | the·following·command: |
| 308 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 308 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 309 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 309 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| Offset 884, 25 lines modified | Offset 884, 25 lines modified | ||
| 884 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36374">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36374"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 884 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36374">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36374"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 885 | package·--remove=ypserv | 885 | package·--remove=ypserv |
| 886 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 886 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 887 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 887 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 888 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 888 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 889 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 889 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 890 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 890 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 891 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm364 | 891 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36467"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 892 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 892 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 893 | ············ | 893 | ············ |
| 894 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | 894 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 895 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | 895 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 896 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | 896 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, |
| 897 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | 897 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling |
| 898 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | 898 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents |
| 899 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 899 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 900 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 900 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 901 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 901 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36484">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36484"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 902 | # | 902 | # |
| 903 | #·Example·Call(s): | 903 | #·Example·Call(s): |
| 904 | # | 904 | # |
| 905 | #·····service_command·enable·bluetooth | 905 | #·····service_command·enable·bluetooth |
| 906 | #·····service_command·disable·bluetooth.service | 906 | #·····service_command·disable·bluetooth.service |
| 907 | # | 907 | # |
| Max diff block lines reached; 1460986/1486460 bytes (98.29%) of diff not shown. | |||
| Offset 224, 101 lines modified | Offset 224, 101 lines modified | ||
| 224 | ····-·low_disruption | 224 | ····-·low_disruption |
| 225 | ····-·CCE-27336-7 | 225 | ····-·CCE-27336-7 |
| 226 | ····-·NIST-800-53-AC-17(8) | 226 | ····-·NIST-800-53-AC-17(8) |
| 227 | ····-·NIST-800-53-CM-7 | 227 | ····-·NIST-800-53-CM-7 |
| 228 | ····-·NIST-800-53-IA-5(1)(c) | 228 | ····-·NIST-800-53-IA-5(1)(c) |
| 229 | ····-·NIST-800-171-3.1.13 | 229 | ····-·NIST-800-171-3.1.13 |
| 230 | ····-·NIST-800-171-3.4.7 | 230 | ····-·NIST-800-171-3.4.7 |
| 231 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 231 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36084"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 232 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 232 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 233 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 233 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 234 | as·a·systemd·socket,·should·be·disabled. | 234 | as·a·systemd·socket,·should·be·disabled. |
| 235 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 235 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 236 | If·using·systemd,· | 236 | If·using·systemd,· |
| 237 | ········The·<code>r | 237 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 238 | ········<pre>$·sudo·systemctl·disable·r | 238 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 239 | means·that·data·from·the·login·session,·including·passwords·and | 239 | means·that·data·from·the·login·session,·including·passwords·and |
| 240 | all·other·information·transmitted·during·the·session,·can·be | 240 | all·other·information·transmitted·during·the·session,·can·be |
| 241 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 241 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 242 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 242 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 243 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 243 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36109">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36109"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 244 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 244 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 245 | # | 245 | # |
| 246 | #·Disable·r | 246 | #·Disable·rsh.socket·for·all·systemd·targets |
| 247 | # | 247 | # |
| 248 | systemctl·disable·r | 248 | systemctl·disable·rsh.socket |
| 249 | # | 249 | # |
| 250 | #·Stop·r | 250 | #·Stop·rsh.socket·if·currently·running |
| 251 | # | 251 | # |
| 252 | systemctl·stop·r | 252 | systemctl·stop·rsh.socket |
| 253 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 253 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36110">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36110"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 254 | ··service: | 254 | ··service: |
| 255 | ····name="{{item}}" | 255 | ····name="{{item}}" |
| 256 | ····enabled="no" | 256 | ····enabled="no" |
| 257 | ····state="stopped" | 257 | ····state="stopped" |
| 258 | ··register:·service_result | 258 | ··register:·service_result |
| 259 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 259 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 260 | ··with_items: | 260 | ··with_items: |
| 261 | ····-·r | 261 | ····-·rsh |
| 262 | ··tags: | 262 | ··tags: |
| 263 | ····-·service_r | 263 | ····-·service_rsh_disabled |
| 264 | ····-·high_severity | 264 | ····-·high_severity |
| 265 | ····-·disable_strategy | 265 | ····-·disable_strategy |
| 266 | ····-·low_complexity | 266 | ····-·low_complexity |
| 267 | ····-·low_disruption | 267 | ····-·low_disruption |
| 268 | ····-·CCE-27 | 268 | ····-·CCE-27337-5 |
| 269 | ····-·NIST-800-53-AC-17(8) | 269 | ····-·NIST-800-53-AC-17(8) |
| 270 | ····-·NIST-800-53-CM-7 | 270 | ····-·NIST-800-53-CM-7 |
| 271 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 271 | ····-·NIST-800-171-3.1.13 | 272 | ····-·NIST-800-171-3.1.13 |
| 272 | ····-·NIST-800-171-3.4.7 | 273 | ····-·NIST-800-171-3.4.7 |
| 273 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 274 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 274 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 275 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 275 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 276 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 276 | as·a·systemd·socket,·should·be·disabled. | 277 | as·a·systemd·socket,·should·be·disabled. |
| 277 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 278 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 278 | If·using·systemd,· | 279 | If·using·systemd,· |
| 279 | ········The·<code>r | 280 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 280 | ········<pre>$·sudo·systemctl·disable·r | 281 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 281 | means·that·data·from·the·login·session,·including·passwords·and | 282 | means·that·data·from·the·login·session,·including·passwords·and |
| 282 | all·other·information·transmitted·during·the·session,·can·be | 283 | all·other·information·transmitted·during·the·session,·can·be |
| 283 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 284 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 284 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 285 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 285 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 286 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36139">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36139"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 286 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 287 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 287 | # | 288 | # |
| 288 | #·Disable·r | 289 | #·Disable·rexec.socket·for·all·systemd·targets |
| 289 | # | 290 | # |
| 290 | systemctl·disable·r | 291 | systemctl·disable·rexec.socket |
| 291 | # | 292 | # |
| 292 | #·Stop·r | 293 | #·Stop·rexec.socket·if·currently·running |
| 293 | # | 294 | # |
| 294 | systemctl·stop·r | 295 | systemctl·stop·rexec.socket |
| 295 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 296 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36140">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36140"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 296 | ··service: | 297 | ··service: |
| 297 | ····name="{{item}}" | 298 | ····name="{{item}}" |
| 298 | ····enabled="no" | 299 | ····enabled="no" |
| 299 | ····state="stopped" | 300 | ····state="stopped" |
| 300 | ··register:·service_result | 301 | ··register:·service_result |
| 301 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 302 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 302 | ··with_items: | 303 | ··with_items: |
| 303 | ····-·r | 304 | ····-·rexec |
| 304 | ··tags: | 305 | ··tags: |
| 305 | ····-·service_r | 306 | ····-·service_rexec_disabled |
| 306 | ····-·high_severity | 307 | ····-·high_severity |
| 307 | ····-·disable_strategy | 308 | ····-·disable_strategy |
| 308 | ····-·low_complexity | 309 | ····-·low_complexity |
| 309 | ····-·low_disruption | 310 | ····-·low_disruption |
| 310 | ····-·CCE-27 | 311 | ····-·CCE-27408-4 |
| 311 | ····-·NIST-800-53-AC-17(8) | 312 | ····-·NIST-800-53-AC-17(8) |
| 312 | ····-·NIST-800-53-CM-7 | 313 | ····-·NIST-800-53-CM-7 |
| 313 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 314 | ····-·NIST-800-171-3.1.13 | 314 | ····-·NIST-800-171-3.1.13 |
| 315 | ····-·NIST-800-171-3.4.7 | 315 | ····-·NIST-800-171-3.4.7 |
| 316 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36145"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 316 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36145"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 317 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 317 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 318 | the·following·command: | 318 | the·following·command: |
| 319 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 319 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 320 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 320 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| Offset 895, 25 lines modified | Offset 895, 25 lines modified | ||
| 895 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36374">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36374"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 895 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36374">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36374"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 896 | package·--remove=ypserv | 896 | package·--remove=ypserv |
| 897 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 897 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 898 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 898 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 899 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 899 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 900 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 900 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 901 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 901 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 902 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm364 | 902 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36467"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 903 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 903 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 904 | ············ | 904 | ············ |
| 905 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | 905 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 906 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | 906 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 907 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | 907 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, |
| 908 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | 908 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling |
| 909 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | 909 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents |
| 910 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 910 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 911 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 911 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 912 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 912 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36484">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36484"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 913 | # | 913 | # |
| 914 | #·Example·Call(s): | 914 | #·Example·Call(s): |
| 915 | # | 915 | # |
| 916 | #·····service_command·enable·bluetooth | 916 | #·····service_command·enable·bluetooth |
| 917 | #·····service_command·disable·bluetooth.service | 917 | #·····service_command·disable·bluetooth.service |
| 918 | # | 918 | # |
| Max diff block lines reached; 1460987/1486461 bytes (98.29%) of diff not shown. | |||
| Offset 594, 15 lines modified | Offset 594, 60 lines modified | ||
| 594 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the | 594 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the |
| 595 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features | 595 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features |
| 596 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the | 596 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the |
| 597 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to | 597 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to |
| 598 | a·central·logging·server. | 598 | a·central·logging·server. |
| 599 | This·section·discusses·how·to·configure·rsyslog·for | 599 | This·section·discusses·how·to·configure·rsyslog·for |
| 600 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and | 600 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and |
| 601 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 601 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_log_rotation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_log_rotation">Ensure·All·Logs·are·Rotated·by·<tt>logrotate</tt> |
| 602 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_log_rotation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Edit·the·file·<code>/etc/logrotate.d/syslog</code>.·Find·the·first | ||
| 603 | line,·which·should·look·like·this·(wrapped·for·clarity): | ||
| 604 | <pre>/var/log/messages·/var/log/secure·/var/log/maillog·/var/log/spooler·\ | ||
| 605 | ··/var/log/boot.log·/var/log/cron·{</pre> | ||
| 606 | Edit·this·line·so·that·it·contains·a·one-space-separated | ||
| 607 | listing·of·each·log·file·referenced·in·<code>/etc/rsyslog.conf</code>. | ||
| 608 | <br><br> | ||
| 609 | All·logs·in·use·on·a·system·must·be·rotated·regularly,·or·the | ||
| 610 | log·files·will·consume·disk·space·over·time,·eventually·interfering | ||
| 611 | with·system·operation.·The·file·<code>/etc/logrotate.d/syslog</code>·is·the | ||
| 612 | configuration·file·used·by·the·<code>logrotate</code>·program·to·maintain·all | ||
| 613 | log·files·written·by·<code>syslog</code>.·By·default,·it·rotates·logs·weekly·and | ||
| 614 | stores·four·archival·copies·of·each·log.·These·settings·can·be | ||
| 615 | modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are | ||
| 616 | sufficient·for·purposes·of·this·guide. | ||
| 617 | <br><br> | ||
| 618 | Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job | ||
| 619 | <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be | ||
| 620 | rotated·more·often·than·once·a·day,·some·other·mechanism·must·be | ||
| 621 | used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ensure_logrotate_activated"·id="guide-tree-leaf-idm40584"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_log_rotation"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated">Ensure·Logrotate·Runs·Periodically | ||
| 622 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ensure_logrotate_activated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>logrotate</code>·utility·allows·for·the·automatic·rotation·of· | ||
| 623 | log·files.··The·frequency·of·rotation·is·specified·in·<code>/etc/logrotate.conf</code>,· | ||
| 624 | which·triggers·a·cron·task.··To·configure·logrotate·to·run·daily,·add·or·correct· | ||
| 625 | the·following·line·in·<code>/etc/logrotate.conf</code>: | ||
| 626 | <pre>#·rotate·log·files·<i>frequency</i> | ||
| 627 | daily</pre></p><span·class="label·label-primary">Rationale:</span><p>Log·files·that·are·not·properly·rotated·run·the·risk·of·growing·so·large | ||
| 628 | that·they·fill·up·the·/var/log·partition.·Valuable·logging·information·could·be·lost | ||
| 629 | if·the·/var/log·partition·becomes·full.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 630 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 631 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40596">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40596"><pre><code> | ||
| 632 | LOGROTATE_CONF_FILE="/etc/logrotate.conf" | ||
| 633 | CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" | ||
| 634 | #·daily·rotation·is·configured | ||
| 635 | grep·-q·"^daily$"·$LOGROTATE_CONF_FILE||·echo·"daily"·>>·$LOGROTATE_CONF_FILE | ||
| 636 | #·remove·any·line·configuring·weekly,·monthly·or·yearly·rotation | ||
| 637 | sed·-i·-r·"/^(weekly|monthly|yearly)$/d"·$LOGROTATE_CONF_FILE | ||
| 638 | #·configure·cron.daily·if·not·already | ||
| 639 | if·!·grep·-q·"^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$"·$CRON_DAILY_LOGROTATE_FILE;·then | ||
| 640 | » echo·"#!/bin/sh"·>·$CRON_DAILY_LOGROTATE_FILE | ||
| 641 | » echo·"/usr/sbin/logrotate·$LOGROTATE_CONF_FILE"·>>·$CRON_DAILY_LOGROTATE_FILE | ||
| 642 | fi | ||
| 643 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">Ensure·Proper·Configuration·of·Log·Files | ||
| 602 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·file·<code>/etc/rsyslog.conf</code>·controls·where·log·message·are·written. | 644 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·file·<code>/etc/rsyslog.conf</code>·controls·where·log·message·are·written. |
| 603 | These·are·controlled·by·lines·called·<i>rules</i>,·which·consist·of·a | 645 | These·are·controlled·by·lines·called·<i>rules</i>,·which·consist·of·a |
| 604 | <i>selector</i>·and·an·<i>action</i>. | 646 | <i>selector</i>·and·an·<i>action</i>. |
| 605 | These·rules·are·often·customized·depending·on·the·role·of·the·system,·the | 647 | These·rules·are·often·customized·depending·on·the·role·of·the·system,·the |
| 606 | requirements·of·the·environment,·and·whatever·may·enable | 648 | requirements·of·the·environment,·and·whatever·may·enable |
| 607 | the·administrator·to·most·effectively·make·use·of·log·data. | 649 | the·administrator·to·most·effectively·make·use·of·log·data. |
| 608 | The·default·rules·in·Red·Hat·Enterprise·Linux·7·are: | 650 | The·default·rules·in·Red·Hat·Enterprise·Linux·7·are: |
| Offset 613, 57 lines modified | Offset 658, 29 lines modified | ||
| 613 | *.emerg·················································* | 658 | *.emerg·················································* |
| 614 | uucp,news.crit··········································/var/log/spooler | 659 | uucp,news.crit··········································/var/log/spooler |
| 615 | local7.*················································/var/log/boot.log</pre> | 660 | local7.*················································/var/log/boot.log</pre> |
| 616 | See·the·man·page·<code>rsyslog.conf(5)</code>·for·more·information. | 661 | See·the·man·page·<code>rsyslog.conf(5)</code>·for·more·information. |
| 617 | <i>Note·that·the·<code>rsyslog</code>·daemon·can·be·configured·to·use·a·timestamp·format·that | 662 | <i>Note·that·the·<code>rsyslog</code>·daemon·can·be·configured·to·use·a·timestamp·format·that |
| 618 | some·log·processing·programs·may·not·understand.·If·this·occurs,· | 663 | some·log·processing·programs·may·not·understand.·If·this·occurs,· |
| 619 | edit·the·file·<code>/etc/rsyslog.conf</code>·and·add·or·edit·the·following·line:</i> | 664 | edit·the·file·<code>/etc/rsyslog.conf</code>·and·add·or·edit·the·following·line:</i> |
| 620 | <pre>$·ActionFileDefaultTemplate·RSYSLOG_TraditionalFileFormat</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ | 665 | <pre>$·ActionFileDefaultTemplate·RSYSLOG_TraditionalFileFormat</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·id="guide-tree-leaf-idm40624"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">Ensure·System·Log·Files·Have·Correct·Permissions |
| 621 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·group-owner·of·all·log·files·written·by | ||
| 622 | <code>rsyslog</code>·should·be·root. | ||
| 623 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | ||
| 624 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. | ||
| 625 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | ||
| 626 | run·the·following·command·to·inspect·the·file's·group·owner: | ||
| 627 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | ||
| 628 | If·the·owner·is·not·<code>root</code>,·run·the·following·command·to | ||
| 629 | correct·this: | ||
| 630 | <pre>$·sudo·chgrp·root·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>The·log·files·generated·by·rsyslog·contain·valuable·information·regarding·system | ||
| 631 | configuration,·user·authentication,·and·other·such·information.·Log·files·should·be | ||
| 632 | protected·from·unauthorized·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 633 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 634 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership"·id="guide-tree-leaf-idm40614"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership">Ensure·Log·Files·Are·Owned·By·Appropriate·User | ||
| 635 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_ownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·owner·of·all·log·files·written·by | ||
| 636 | <code>rsyslog</code>·should·be·root. | ||
| 637 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | ||
| 638 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. | ||
| 639 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | ||
| 640 | run·the·following·command·to·inspect·the·file's·owner: | ||
| 641 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | ||
| 642 | If·the·owner·is·not·<code>root</code>,·run·the·following·command·to | ||
| 643 | correct·this: | ||
| 644 | <pre>$·sudo·chown·root·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>The·log·files·generated·by·rsyslog·contain·valuable·information·regarding·system | ||
| 645 | configuration,·user·authentication,·and·other·such·information.·Log·files·should·be | ||
| 646 | protected·from·unauthorized·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 647 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 648 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·id="guide-tree-leaf-idm40656"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">Ensure·System·Log·Files·Have·Correct·Permissions | ||
| 649 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·file·permissions·for·all·log·files·written·by | 666 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·file·permissions·for·all·log·files·written·by |
| 650 | <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive. | 667 | <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive. |
| 651 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | 668 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in |
| 652 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.· | 669 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.· |
| 653 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | 670 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, |
| 654 | run·the·following·command·to·inspect·the·file's·permissions: | 671 | run·the·following·command·to·inspect·the·file's·permissions: |
| 655 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | 672 | <pre>$·ls·-l·<i>LOGFILE</i></pre> |
| 656 | If·the·permissions·are·not·600·or·more·restrictive, | 673 | If·the·permissions·are·not·600·or·more·restrictive, |
| 657 | run·the·following·command·to·correct·this: | 674 | run·the·following·command·to·correct·this: |
| 658 | <pre>$·sudo·chmod·0600·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Log·files·can·contain·valuable·information·regarding·system | 675 | <pre>$·sudo·chmod·0600·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Log·files·can·contain·valuable·information·regarding·system |
| 659 | configuration.·If·the·system·log·files·are·not·protected·unauthorized | 676 | configuration.·If·the·system·log·files·are·not·protected·unauthorized |
| 660 | users·could·change·the·logged·data,·eliminating·their·forensic·value.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 677 | users·could·change·the·logged·data,·eliminating·their·forensic·value.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 661 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 678 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 662 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.3</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm406 | 679 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.3</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40642">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40642"><pre><code> |
| 663 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions | 680 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions |
| 664 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf | 681 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf |
| 665 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" | 682 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" |
| 666 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive | 683 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive |
| 667 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) | 684 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) |
| 668 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) | 685 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) |
| 669 | #·Declare·an·array·to·hold·the·final·list·of·different·log·file·paths | 686 | #·Declare·an·array·to·hold·the·final·list·of·different·log·file·paths |
| Offset 708, 84 lines modified | Offset 725, 67 lines modified | ||
| 708 | » #·Also·for·each·log·file·check·if·its·permissions·differ·from·600.·If·so,·correct·them | 725 | » #·Also·for·each·log·file·check·if·its·permissions·differ·from·600.·If·so,·correct·them |
| 709 | » if·[·"$(/usr/bin/stat·-c·%a·"$PATH")"·-ne·600·] | 726 | » if·[·"$(/usr/bin/stat·-c·%a·"$PATH")"·-ne·600·] |
| 710 | » then | 727 | » then |
| 711 | » » /bin/chmod·600·"$PATH" | 728 | » » /bin/chmod·600·"$PATH" |
| 712 | » fi | 729 | » fi |
| 713 | done | 730 | done |
| 714 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_ | 731 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership"·id="guide-tree-leaf-idm40647"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership">Ensure·Log·Files·Are·Owned·By·Appropriate·User |
| Max diff block lines reached; 443005/470399 bytes (94.18%) of diff not shown. | |||
| Offset 1558, 15 lines modified | Offset 1558, 15 lines modified | ||
| 1558 | The·following·recommendations·describe·how·to·strengthen·the | 1558 | The·following·recommendations·describe·how·to·strengthen·the |
| 1559 | default·ruleset·configuration·file.·An·alternative·to·editing·this | 1559 | default·ruleset·configuration·file.·An·alternative·to·editing·this |
| 1560 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to | 1560 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to |
| 1561 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> | 1561 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> |
| 1562 | and·<code>/etc/firewalld/zones</code>·directories. | 1562 | and·<code>/etc/firewalld/zones</code>·directories. |
| 1563 | <br><br> | 1563 | <br><br> |
| 1564 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address | 1564 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address |
| 1565 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm4 | 1565 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm40861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">Set·Default·firewalld·Zone·for·Incoming·Packets |
| 1566 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for | 1566 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for |
| 1567 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, | 1567 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, |
| 1568 | modify·the·following·line·in | 1568 | modify·the·following·line·in |
| 1569 | <code>/etc/firewalld/firewalld.conf</code>·to·be: | 1569 | <code>/etc/firewalld/firewalld.conf</code>·to·be: |
| 1570 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all | 1570 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all |
| 1571 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the | 1571 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the |
| 1572 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. | 1572 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. |
| Offset 1631, 24 lines modified | Offset 1631, 24 lines modified | ||
| 1631 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn | 1631 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn |
| 1632 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind | 1632 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind |
| 1633 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client | 1633 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client |
| 1634 | vnc-server·wbem-https | 1634 | vnc-server·wbem-https |
| 1635 | </pre> | 1635 | </pre> |
| 1636 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld | 1636 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld |
| 1637 | service·reload,·enter·the·following·command·as·root: | 1637 | service·reload,·enter·the·following·command·as·root: |
| 1638 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm4 | 1638 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm40986"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled">Verify·firewalld·Enabled |
| 1639 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 1639 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 1640 | ·············· | 1640 | ·············· |
| 1641 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: | 1641 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: |
| 1642 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> | 1642 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> |
| 1643 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture | 1643 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture |
| 1644 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | 1644 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This |
| 1645 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1645 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1646 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1646 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1647 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1647 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41000">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41000"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 1648 | # | 1648 | # |
| 1649 | #·Example·Call(s): | 1649 | #·Example·Call(s): |
| 1650 | # | 1650 | # |
| 1651 | #·····service_command·enable·bluetooth | 1651 | #·····service_command·enable·bluetooth |
| 1652 | #·····service_command·disable·bluetooth.service | 1652 | #·····service_command·disable·bluetooth.service |
| 1653 | # | 1653 | # |
| 1654 | #·····Using·xinetd: | 1654 | #·····Using·xinetd: |
| Offset 1716, 15 lines modified | Offset 1716, 15 lines modified | ||
| 1716 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 1716 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 1717 | ··fi | 1717 | ··fi |
| 1718 | fi | 1718 | fi |
| 1719 | } | 1719 | } |
| 1720 | service_command·enable·firewalld | 1720 | service_command·enable·firewalld |
| 1721 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1721 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41002">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41002"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·firewalld |
| 1722 | ··service: | 1722 | ··service: |
| 1723 | ····name="{{item}}" | 1723 | ····name="{{item}}" |
| 1724 | ····enabled="yes" | 1724 | ····enabled="yes" |
| 1725 | ····state="started" | 1725 | ····state="started" |
| 1726 | ··with_items: | 1726 | ··with_items: |
| 1727 | ····-·firewalld | 1727 | ····-·firewalld |
| 1728 | ··tags: | 1728 | ··tags: |
| Offset 2281, 68 lines modified | Offset 2281, 68 lines modified | ||
| 2281 | The·virtual·devices·<code>/dev/console</code> | 2281 | The·virtual·devices·<code>/dev/console</code> |
| 2282 | and·<code>/dev/tty*</code>·represent·the·system·consoles·(accessible·via | 2282 | and·<code>/dev/tty*</code>·represent·the·system·consoles·(accessible·via |
| 2283 | the·Ctrl-Alt-F1·through·Ctrl-Alt-F6·keyboard·sequences·on·a·default | 2283 | the·Ctrl-Alt-F1·through·Ctrl-Alt-F6·keyboard·sequences·on·a·default |
| 2284 | installation).·The·default·securetty·file·also·contains·<code>/dev/vc/*</code>. | 2284 | installation).·The·default·securetty·file·also·contains·<code>/dev/vc/*</code>. |
| 2285 | These·are·likely·to·be·deprecated·in·most·environments,·but·may·be·retained | 2285 | These·are·likely·to·be·deprecated·in·most·environments,·but·may·be·retained |
| 2286 | for·compatibility.·Root·should·also·be·prohibited·from·connecting | 2286 | for·compatibility.·Root·should·also·be·prohibited·from·connecting |
| 2287 | via·network·protocols.·Other·sections·of·this·document | 2287 | via·network·protocols.·Other·sections·of·this·document |
| 2288 | include·guidance·describing·how·to·prevent·root·from·logging·in·via·SSH.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 2288 | include·guidance·describing·how·to·prevent·root·from·logging·in·via·SSH.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero"·id="guide-tree-leaf-idm50790"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_root_logins"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero">Verify·Only·Root·Has·UID·0 |
| 2289 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·any·account·other·than·root·has·a·UID·of·0,·this·misconfiguration·should· | ||
| 2290 | be·investigated·and·the·accounts·other·than·root·should·be·removed·or· | ||
| 2291 | have·their·UID·changed. | ||
| 2292 | <br> | ||
| 2293 | If·the·account·is·associated·with·system·commands·or·applications·the·UID·should·be·changed | ||
| 2294 | to·one·greater·than·"0"·but·less·than·"1000."·Otherwise·assign·a·UID·greater·than·"1000"·that | ||
| 2295 | has·not·already·been·assigned.</p><span·class="label·label-primary">Rationale:</span><p>An·account·has·root·authority·if·it·has·a·UID·of·0.·Multiple·accounts | ||
| 2296 | with·a·UID·of·0·afford·more·opportunity·for·potential·intruders·to | ||
| 2297 | guess·a·password·for·a·privileged·account.·Proper·configuration·of | ||
| 2298 | sudo·is·recommended·to·afford·multiple·system·administrators | ||
| 2299 | access·to·root·privileges·in·an·accountable·manner.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 2300 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 2301 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86629r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm50804">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm50804"><pre><code>awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | ||
| 2302 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts"·id="guide-tree-leaf-idm50855"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_root_logins"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts">Ensure·that·System·Accounts·Do·Not·Run·a·Shell·Upon·Login | ||
| 2289 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Some·accounts·are·not·associated·with·a·human·user·of·the·system,·and·exist·to | 2303 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Some·accounts·are·not·associated·with·a·human·user·of·the·system,·and·exist·to |
| 2290 | perform·some·administrative·function.·Should·an·attacker·be·able·to·log·into | 2304 | perform·some·administrative·function.·Should·an·attacker·be·able·to·log·into |
| 2291 | these·accounts,·they·should·not·be·granted·access·to·a·shell. | 2305 | these·accounts,·they·should·not·be·granted·access·to·a·shell. |
| 2292 | <br><br> | 2306 | <br><br> |
| 2293 | The·login·shell·for·each·local·account·is·stored·in·the·last·field·of·each·line | 2307 | The·login·shell·for·each·local·account·is·stored·in·the·last·field·of·each·line |
| 2294 | in·<code>/etc/passwd</code>.·System·accounts·are·those·user·accounts·with·a·user·ID | 2308 | in·<code>/etc/passwd</code>.·System·accounts·are·those·user·accounts·with·a·user·ID |
| 2295 | less·than·UID_MIN,·where·value·of·UID_MIN·directive·is·set·in | 2309 | less·than·UID_MIN,·where·value·of·UID_MIN·directive·is·set·in |
| 2296 | /etc/login.defs·configuration·file.·In·the·default·configuration·UID_MIN·is·set | 2310 | /etc/login.defs·configuration·file.·In·the·default·configuration·UID_MIN·is·set |
| 2297 | to·1000,·thus·system·accounts·are·those·user·accounts·with·a·user·ID·less·than | 2311 | to·1000,·thus·system·accounts·are·those·user·accounts·with·a·user·ID·less·than |
| 2298 | 1000.·The·user·ID·is·stored·in·the·third·field.·If·any·system·account | 2312 | 1000.·The·user·ID·is·stored·in·the·third·field.·If·any·system·account |
| 2299 | <i>SYSACCT</i>·(other·than·root)·has·a·login·shell,·disable·it·with·the | 2313 | <i>SYSACCT</i>·(other·than·root)·has·a·login·shell,·disable·it·with·the |
| 2300 | command:·<pre>$·sudo·usermod·-s·/sbin/nologin·<i>SYSACCT</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Ensuring·shells·are·not·given·to·system·accounts·upon·login·makes·it·more | 2314 | command:·<pre>$·sudo·usermod·-s·/sbin/nologin·<i>SYSACCT</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Ensuring·shells·are·not·given·to·system·accounts·upon·login·makes·it·more |
| 2301 | difficult·for·attackers·to·make·use·of·system·accounts.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 2315 | difficult·for·attackers·to·make·use·of·system·accounts.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 2302 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 2316 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 2303 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.4.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_r | 2317 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.4.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_password_storage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_password_storage">Verify·Proper·Storage·and·Existence·of·Password |
| 2304 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·any·account·other·than·root·has·a·UID·of·0,·this·misconfiguration·should· | ||
| 2305 | be·investigated·and·the·accounts·other·than·root·should·be·removed·or· | ||
| 2306 | have·their·UID·changed. | ||
| 2307 | <br> | ||
| 2308 | If·the·account·is·associated·with·system·commands·or·applications·the·UID·should·be·changed | ||
| 2309 | to·one·greater·than·"0"·but·less·than·"1000."·Otherwise·assign·a·UID·greater·than·"1000"·that | ||
| 2310 | has·not·already·been·assigned.</p><span·class="label·label-primary">Rationale:</span><p>An·account·has·root·authority·if·it·has·a·UID·of·0.·Multiple·accounts | ||
| 2311 | with·a·UID·of·0·afford·more·opportunity·for·potential·intruders·to | ||
| 2312 | guess·a·password·for·a·privileged·account.·Proper·configuration·of | ||
| 2313 | sudo·is·recommended·to·afford·multiple·system·administrators | ||
| 2314 | access·to·root·privileges·in·an·accountable·manner.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 2315 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 2316 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86629r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm50920">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm50920"><pre><code>awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | ||
| 2317 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_password_storage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_password_storage">Verify·Proper·Storage·and·Existence·of·Password | ||
| 2318 | Hashes | 2318 | Hashes |
| 2319 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_password_storage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·password·hashes·for·local·accounts·are·stored | 2319 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_password_storage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·password·hashes·for·local·accounts·are·stored |
| 2320 | in·the·second·field·(colon-separated)·in | 2320 | in·the·second·field·(colon-separated)·in |
| 2321 | <code>/etc/shadow</code>.·This·file·should·be·readable·only·by | 2321 | <code>/etc/shadow</code>.·This·file·should·be·readable·only·by |
| 2322 | processes·running·with·root·credentials,·preventing·users·from | 2322 | processes·running·with·root·credentials,·preventing·users·from |
| 2323 | casually·accessing·others'·password·hashes·and·attempting | 2323 | casually·accessing·others'·password·hashes·and·attempting |
| 2324 | to·crack·them. | 2324 | to·crack·them. |
| 2325 | However,·it·remains·possible·to·misconfigure·the·system | 2325 | However,·it·remains·possible·to·misconfigure·the·system |
| 2326 | and·store·password·hashes | 2326 | and·store·password·hashes |
| 2327 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or | 2327 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or |
| 2328 | to·even·store·passwords·themselves·in·plaintext·on·the·system. | 2328 | to·even·store·passwords·themselves·in·plaintext·on·the·system. |
| 2329 | Using·system-provided·tools·for·password·change/creation | 2329 | Using·system-provided·tools·for·password·change/creation |
| 2330 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm5 | 2330 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm50944"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_no_empty_passwords">Prevent·Log·In·to·Accounts·With·Empty·Password |
| 2331 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication | 2331 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication |
| 2332 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log | 2332 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log |
| 2333 | into·the·account·without·authentication.·Remove·any·instances·of·the·<code>nullok</code> | 2333 | into·the·account·without·authentication.·Remove·any·instances·of·the·<code>nullok</code> |
| 2334 | option·in·<code>/etc/pam.d/system-auth</code>·to | 2334 | option·in·<code>/etc/pam.d/system-auth</code>·to |
| 2335 | prevent·logins·with·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>If·an·account·has·an·empty·password,·anyone·could·log·in·and | 2335 | prevent·logins·with·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>If·an·account·has·an·empty·password,·anyone·could·log·in·and |
| 2336 | run·commands·with·the·privileges·of·that·account.·Accounts·with | 2336 | run·commands·with·the·privileges·of·that·account.·Accounts·with |
| Max diff block lines reached; 97631/120611 bytes (80.95%) of diff not shown. | |||
| Offset 732, 22 lines modified | Offset 732, 22 lines modified | ||
| 732 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the | 732 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the |
| 733 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features | 733 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features |
| 734 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the | 734 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the |
| 735 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to | 735 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to |
| 736 | a·central·logging·server. | 736 | a·central·logging·server. |
| 737 | This·section·discusses·how·to·configure·rsyslog·for | 737 | This·section·discusses·how·to·configure·rsyslog·for |
| 738 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and | 738 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and |
| 739 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·id="guide-tree-leaf-idm407 | 739 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·id="guide-tree-leaf-idm40784"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">Enable·rsyslog·Service |
| 740 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsyslog</code>·service·provides·syslog-style·logging·by·default·on·Red·Hat·Enterprise·Linux·7. | 740 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsyslog</code>·service·provides·syslog-style·logging·by·default·on·Red·Hat·Enterprise·Linux·7. |
| 741 | ········The·<code>rsyslog</code>·service·can·be·enabled·with·the·following·command: | 741 | ········The·<code>rsyslog</code>·service·can·be·enabled·with·the·following·command: |
| 742 | ········<pre>$·sudo·systemctl·enable·rsyslog.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsyslog</code>·service·must·be·running·in·order·to·provide | 742 | ········<pre>$·sudo·systemctl·enable·rsyslog.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsyslog</code>·service·must·be·running·in·order·to·provide |
| 743 | logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 743 | logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 744 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 744 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 745 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.12.3.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40 | 745 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.12.3.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40803">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40803"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 746 | # | 746 | # |
| 747 | #·Example·Call(s): | 747 | #·Example·Call(s): |
| 748 | # | 748 | # |
| 749 | #·····service_command·enable·bluetooth | 749 | #·····service_command·enable·bluetooth |
| 750 | #·····service_command·disable·bluetooth.service | 750 | #·····service_command·disable·bluetooth.service |
| 751 | # | 751 | # |
| 752 | #·····Using·xinetd: | 752 | #·····Using·xinetd: |
| Offset 815, 15 lines modified | Offset 815, 15 lines modified | ||
| 815 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 815 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 816 | ··fi | 816 | ··fi |
| 817 | fi | 817 | fi |
| 818 | } | 818 | } |
| 819 | service_command·enable·rsyslog | 819 | service_command·enable·rsyslog |
| 820 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4080 | 820 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm40805">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40805"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·rsyslog |
| 821 | ··service: | 821 | ··service: |
| 822 | ····name="{{item}}" | 822 | ····name="{{item}}" |
| 823 | ····enabled="yes" | 823 | ····enabled="yes" |
| 824 | ····state="started" | 824 | ····state="started" |
| 825 | ··with_items: | 825 | ··with_items: |
| 826 | ····-·rsyslog | 826 | ····-·rsyslog |
| 827 | ··tags: | 827 | ··tags: |
| Offset 929, 26 lines modified | Offset 929, 26 lines modified | ||
| 929 | casually·accessing·others'·password·hashes·and·attempting | 929 | casually·accessing·others'·password·hashes·and·attempting |
| 930 | to·crack·them. | 930 | to·crack·them. |
| 931 | However,·it·remains·possible·to·misconfigure·the·system | 931 | However,·it·remains·possible·to·misconfigure·the·system |
| 932 | and·store·password·hashes | 932 | and·store·password·hashes |
| 933 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or | 933 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or |
| 934 | to·even·store·passwords·themselves·in·plaintext·on·the·system. | 934 | to·even·store·passwords·themselves·in·plaintext·on·the·system. |
| 935 | Using·system-provided·tools·for·password·change/creation | 935 | Using·system-provided·tools·for·password·change/creation |
| 936 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm5 | 936 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm50944"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_no_empty_passwords">Prevent·Log·In·to·Accounts·With·Empty·Password |
| 937 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication | 937 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication |
| 938 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log | 938 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log |
| 939 | into·the·account·without·authentication.·Remove·any·instances·of·the·<code>nullok</code> | 939 | into·the·account·without·authentication.·Remove·any·instances·of·the·<code>nullok</code> |
| 940 | option·in·<code>/etc/pam.d/system-auth</code>·to | 940 | option·in·<code>/etc/pam.d/system-auth</code>·to |
| 941 | prevent·logins·with·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>If·an·account·has·an·empty·password,·anyone·could·log·in·and | 941 | prevent·logins·with·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>If·an·account·has·an·empty·password,·anyone·could·log·in·and |
| 942 | run·commands·with·the·privileges·of·that·account.·Accounts·with | 942 | run·commands·with·the·privileges·of·that·account.·Accounts·with |
| 943 | empty·passwords·should·never·be·used·in·operational·environments.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 943 | empty·passwords·should·never·be·used·in·operational·environments.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 944 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 944 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 945 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86561r2_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm5 | 945 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86561r2_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm50973">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm50973"><pre><code>sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth |
| 946 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | 946 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth |
| 947 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm5 | 947 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm50974">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm50974"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" |
| 948 | ··replace: | 948 | ··replace: |
| 949 | ····dest:·/etc/pam.d/system-auth | 949 | ····dest:·/etc/pam.d/system-auth |
| 950 | ····follow:·yes | 950 | ····follow:·yes |
| 951 | ····regexp:·'nullok' | 951 | ····regexp:·'nullok' |
| 952 | ··tags: | 952 | ··tags: |
| 953 | ····-·no_empty_passwords | 953 | ····-·no_empty_passwords |
| 954 | ····-·high_severity | 954 | ····-·high_severity |
| Offset 1141, 158 lines modified | Offset 1141, 30 lines modified | ||
| 1141 | <pre>$·sudo·chmod·+t·<i>DIR</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Failing·to·set·the·sticky·bit·on·public·directories·allows·unauthorized·users·to·delete·files·in·the·directory·structure. | 1141 | <pre>$·sudo·chmod·+t·<i>DIR</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Failing·to·set·the·sticky·bit·on·public·directories·allows·unauthorized·users·to·delete·files·in·the·directory·structure. |
| 1142 | <br><br> | 1142 | <br><br> |
| 1143 | The·only·authorized·public·directories·are·those·temporary·directories·supplied·with·the·system,· | 1143 | The·only·authorized·public·directories·are·those·temporary·directories·supplied·with·the·system,· |
| 1144 | or·those·designed·to·be·temporary·file·repositories.··The·setting·is·normally·reserved·for·directories· | 1144 | or·those·designed·to·be·temporary·file·repositories.··The·setting·is·normally·reserved·for·directories· |
| 1145 | used·by·the·system,·by·users·for·temporary·file·storage·(such·as·<code>/tmp</code>),·and·for·directories· | 1145 | used·by·the·system,·by·users·for·temporary·file·storage·(such·as·<code>/tmp</code>),·and·for·directories· |
| 1146 | requiring·global·read/write·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1146 | requiring·global·read/write·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1147 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1147 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1148 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.21</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 1148 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.21</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_partitions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_partitions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_partitions">Restrict·Partition·Mount·Options |
| 1149 | Filesystems | ||
| 1150 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mounting">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Linux·includes·a·number·of·facilities·for·the·automated·addition | ||
| 1151 | and·removal·of·filesystems·on·a·running·system.··These·facilities·may·be | ||
| 1152 | necessary·in·many·environments,·but·this·capability·also·carries·some·risk·--·whether·direct | ||
| 1153 | risk·from·allowing·users·to·introduce·arbitrary·filesystems, | ||
| 1154 | or·risk·that·software·flaws·in·the·automated·mount·facility·itself·could | ||
| 1155 | allow·an·attacker·to·compromise·the·system. | ||
| 1156 | <br><br> | ||
| 1157 | This·command·can·be·used·to·list·the·types·of·filesystems·that·are | ||
| 1158 | available·to·the·currently·executing·kernel: | ||
| 1159 | <pre>$·find·/lib/modules/`uname·-r`/kernel/fs·-type·f·-name·'*.ko'</pre> | ||
| 1160 | If·these·filesystems·are·not·required·then·they·can·be·explicitly·disabled | ||
| 1161 | in·a·configuratio·file·in··<code>/etc/modprobe.d</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mounting"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_autofs_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_autofs_disabled"·id="guide-tree-leaf-idm53433"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mounting"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_autofs_disabled">Disable·the·Automounter | ||
| 1162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_autofs_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>autofs</code>·daemon·mounts·and·unmounts·filesystems,·such·as·user | ||
| 1163 | home·directories·shared·via·NFS,·on·demand.·In·addition,·autofs·can·be·used·to·handle | ||
| 1164 | removable·media,·and·the·default·configuration·provides·the·cdrom·device·as·<code>/misc/cd</code>. | ||
| 1165 | However,·this·method·of·providing·access·to·removable·media·is·not·common,·so·autofs | ||
| 1166 | can·almost·always·be·disabled·if·NFS·is·not·in·use.·Even·if·NFS·is·required,·it·may·be | ||
| 1167 | possible·to·configure·filesystem·mounts·statically·by·editing·<code>/etc/fstab</code> | ||
| 1168 | rather·than·relying·on·the·automounter. | ||
| 1169 | <br><br> | ||
| 1170 | ········The·<code>autofs</code>·service·can·be·disabled·with·the·following·command: | ||
| 1171 | ········<pre>$·sudo·systemctl·disable·autofs.service</pre></p><span·class="label·label-primary">Rationale:</span><p>Disabling·the·automounter·permits·the·administrator·to | ||
| 1172 | statically·control·filesystem·mounting·through·<code>/etc/fstab</code>. | ||
| 1173 | <br><br> | ||
| 1174 | Additionally,·automatically·mounting·filesystems·permits·easy·introduction·of | ||
| 1175 | unknown·devices,·thereby·facilitating·malicious·activity.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 1176 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 1177 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86609r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.22</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000778</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001958</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000114-GPOS-00059</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000378-GPOS-00163</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm53467">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm53467"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 1178 | # | ||
| 1179 | #·Example·Call(s): | ||
| 1180 | # | ||
| 1181 | #·····service_command·enable·bluetooth | ||
| 1182 | #·····service_command·disable·bluetooth.service | ||
| 1183 | # | ||
| 1184 | #·····Using·xinetd: | ||
| 1185 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 1186 | # | ||
| 1187 | function·service_command·{ | ||
| 1188 | #·Load·function·arguments·into·local·variables | ||
| 1189 | local·service_state=$1 | ||
| 1190 | local·service=$2 | ||
| 1191 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 1192 | #·Check·sanity·of·the·input | ||
| 1193 | if·[·$#·-lt·"2"·] | ||
| 1194 | then | ||
| 1195 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 1196 | ··echo | ||
| 1197 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 1198 | ··echo·"as·the·last·argument"·· | ||
| Max diff block lines reached; 289631/317958 bytes (91.09%) of diff not shown. | |||
| Offset 92, 54 lines modified | Offset 92, 54 lines modified | ||
| 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 98 | allow·cleartext·remote·access·and·have·an·insecure·trust | 98 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm360 | 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36056"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files |
| 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts | ||
| 101 | and·users·that·are·trusted·by·the·local·system. | ||
| 102 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | ||
| 103 | location: | ||
| 104 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the | ||
| 105 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing | ||
| 106 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive | ||
| 107 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of | ||
| 108 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 109 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36095">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36095"><pre><code> | ||
| 111 | #·Identify·local·mounts | ||
| 112 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | ||
| 113 | #·Find·file·on·each·listed·mount·point | ||
| 114 | for·cur_mount·in·${MOUNT_LIST} | ||
| 115 | do | ||
| 116 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; | ||
| 117 | done | ||
| 118 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36131"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files | ||
| 119 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files | 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files |
| 120 | list·remote·hosts·and·users·that·are·trusted·by·the | 101 | list·remote·hosts·and·users·that·are·trusted·by·the |
| 121 | local·system.·To·remove·these·files,·run·the·following·command | 102 | local·system.·To·remove·these·files,·run·the·following·command |
| 122 | to·delete·them·from·any·location: | 103 | to·delete·them·from·any·location: |
| 123 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for | 104 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for |
| 124 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not | 105 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not |
| 125 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not | 106 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not |
| 126 | require·interactive·identification·and·authentication·of·a·connection·request, | 107 | require·interactive·identification·and·authentication·of·a·connection·request, |
| 127 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 108 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 109 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 129 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36065">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36065"><pre><code> |
| 130 | #·Identify·local·mounts | 111 | #·Identify·local·mounts |
| 131 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 112 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 132 | #·Find·file·on·each·listed·mount·point | 113 | #·Find·file·on·each·listed·mount·point |
| 133 | for·cur_mount·in·${MOUNT_LIST} | 114 | for·cur_mount·in·${MOUNT_LIST} |
| 134 | do | 115 | do |
| 135 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; | 116 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; |
| 136 | done | 117 | done |
| 118 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36070"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files | ||
| 119 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts | ||
| 120 | and·users·that·are·trusted·by·the·local·system. | ||
| 121 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | ||
| 122 | location: | ||
| 123 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the | ||
| 124 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing | ||
| 125 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive | ||
| 126 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of | ||
| 127 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 129 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36079">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36079"><pre><code> | ||
| 130 | #·Identify·local·mounts | ||
| 131 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | ||
| 132 | #·Find·file·on·each·listed·mount·point | ||
| 133 | for·cur_mount·in·${MOUNT_LIST} | ||
| 134 | do | ||
| 135 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; | ||
| 136 | done | ||
| 137 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36145"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 137 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36145"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 138 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 138 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 139 | the·following·command: | 139 | the·following·command: |
| 140 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 140 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 141 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 141 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| 142 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password | 142 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password |
| 143 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure | 143 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure |
| Offset 371, 36 lines modified | Offset 371, 27 lines modified | ||
| 371 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_tftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_tftp">TFTP·Server | 371 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_tftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_tftp">TFTP·Server |
| 372 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_tftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TFTP·is·a·lightweight·version·of·the·FTP·protocol·which·has | 372 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_tftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TFTP·is·a·lightweight·version·of·the·FTP·protocol·which·has |
| 373 | traditionally·been·used·to·configure·networking·equipment.·However, | 373 | traditionally·been·used·to·configure·networking·equipment.·However, |
| 374 | TFTP·provides·little·security,·and·modern·versions·of·networking | 374 | TFTP·provides·little·security,·and·modern·versions·of·networking |
| 375 | operating·systems·frequently·support·configuration·via·SSH·or·other | 375 | operating·systems·frequently·support·configuration·via·SSH·or·other |
| 376 | more·secure·protocols.·A·TFTP·server·should·be·run·only·if·no·more | 376 | more·secure·protocols.·A·TFTP·server·should·be·run·only·if·no·more |
| 377 | secure·method·of·supporting·existing·equipment·can·be | 377 | secure·method·of·supporting·existing·equipment·can·be |
| 378 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_tftp | 378 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·id="guide-tree-leaf-idm36416"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_tftp"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed">Uninstall·tftp-server·Package |
| 379 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | ||
| 380 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | ||
| 381 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | ||
| 382 | the·following·example·(which·is·also·the·default): | ||
| 383 | <pre>server_args·=·-s·/var/lib/tftpboot</pre></p><span·class="label·label-primary">Rationale:</span><p>Using·the·<code>-s</code>·option·causes·the·TFTP·service·to·only·serve·files·from·the | ||
| 384 | given·directory.·Serving·files·from·an·intentionally-specified·directory | ||
| 385 | reduces·the·risk·of·sharing·files·which·should·remain·private.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 386 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 387 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86929r2_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·id="guide-tree-leaf-idm36435"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_tftp"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed">Uninstall·tftp-server·Package | ||
| 388 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_tftp-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 379 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_tftp-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 389 | ············ | 380 | ············ |
| 390 | ········The·<code>tftp-server</code>·package·can·be·removed·with·the·following·command: | 381 | ········The·<code>tftp-server</code>·package·can·be·removed·with·the·following·command: |
| 391 | ········<pre>$·sudo·yum·erase·tftp-server</pre> | 382 | ········<pre>$·sudo·yum·erase·tftp-server</pre> |
| 392 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·<code>tftp-server</code>·package·decreases·the·risk·of·the | 383 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·<code>tftp-server</code>·package·decreases·the·risk·of·the |
| 393 | accidental·(or·intentional)·activation·of·tftp·services. | 384 | accidental·(or·intentional)·activation·of·tftp·services. |
| 394 | <br><br> | 385 | <br><br> |
| 395 | If·TFTP·is·required·for·operational·support·(such·as·transmission·of·router·configurations), | 386 | If·TFTP·is·required·for·operational·support·(such·as·transmission·of·router·configurations), |
| 396 | its·use·must·be·documented·with·the·Information·Systems·Securty·Manager·(ISSM),·restricted·to· | 387 | its·use·must·be·documented·with·the·Information·Systems·Securty·Manager·(ISSM),·restricted·to· |
| 397 | only·authorized·personnel,·and·have·access·control·rules·established.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 388 | only·authorized·personnel,·and·have·access·control·rules·established.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 398 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 389 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 399 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86925r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm364 | 390 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86925r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36435">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36435"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 400 | # | 391 | # |
| 401 | #·Example·Call(s): | 392 | #·Example·Call(s): |
| 402 | # | 393 | # |
| 403 | #·····package_remove·telnet-server | 394 | #·····package_remove·telnet-server |
| 404 | # | 395 | # |
| 405 | function·package_remove·{ | 396 | function·package_remove·{ |
| Offset 430, 15 lines modified | Offset 421, 15 lines modified | ||
| 430 | ··echo·"Aborting." | 421 | ··echo·"Aborting." |
| 431 | ··exit·1 | 422 | ··exit·1 |
| 432 | fi | 423 | fi |
| 433 | } | 424 | } |
| 434 | package_remove·tftp-server | 425 | package_remove·tftp-server |
| 435 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm364 | 426 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36437">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36437"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·tftp-server·is·removed |
| 436 | ··package: | 427 | ··package: |
| 437 | ····name="{{item}}" | 428 | ····name="{{item}}" |
| 438 | ····state=absent | 429 | ····state=absent |
| 439 | ··with_items: | 430 | ··with_items: |
| 440 | ····-·tftp-server | 431 | ····-·tftp-server |
| 441 | ··tags: | 432 | ··tags: |
| 442 | ····-·package_tftp-server_removed | 433 | ····-·package_tftp-server_removed |
| Max diff block lines reached; 880678/900717 bytes (97.78%) of diff not shown. | |||
| Offset 101, 17 lines modified | Offset 101, 17 lines modified | ||
| 101 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 101 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 102 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 102 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 103 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 103 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 104 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services | 104 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services |
| 105 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages | 105 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages |
| 106 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack | 106 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack |
| 107 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist | 107 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist |
| 108 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 108 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_keystone"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_keystone"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_keystone">Keystone·STIG·Checklist |
| 109 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 109 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_keystone">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Keystone·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_keystone"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nova"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nova"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_nova">Nova·STIG·Checklist |
| 110 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 110 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_nova">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Nova·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_nova"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_horizon"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_horizon"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_horizon">Horizon·STIG·Checklist |
| 111 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_horizon">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Horizon·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_horizon"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_neutron"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_neutron">Neutron·STIG·Checklist | 111 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_horizon">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Horizon·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_horizon"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_neutron"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_neutron">Neutron·STIG·Checklist |
| 112 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_neutron">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Neutron·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server | 112 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_neutron">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Neutron·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 113 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to | 113 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 114 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | 114 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means |
| 115 | that·passwords·and·other·data·transmitted·during·the·session·can·be | 115 | that·passwords·and·other·data·transmitted·during·the·session·can·be |
| 116 | captured·and·that·the·session·is·vulnerable·to·hijacking. | 116 | captured·and·that·the·session·is·vulnerable·to·hijacking. |
| 117 | Therefore,·running·the·FTP·server·software·is·not·recommended. | 117 | Therefore,·running·the·FTP·server·software·is·not·recommended. |
| Offset 201, 15 lines modified | Offset 201, 39 lines modified | ||
| 201 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_quagga">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Quagga·was·installed·and·activated,·but·the·system | 201 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_quagga">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Quagga·was·installed·and·activated,·but·the·system |
| 202 | does·not·need·to·act·as·a·router,·then·it·should·be·disabled | 202 | does·not·need·to·act·as·a·router,·then·it·should·be·disabled |
| 203 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_quagga"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_routing"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server | 203 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_quagga"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_routing"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server |
| 204 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at | 204 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at |
| 205 | least·one·nameserver.·However,·there·are·many·common·attacks | 205 | least·one·nameserver.·However,·there·are·many·common·attacks |
| 206 | involving·DNS·server·software,·and·this·server·software·should | 206 | involving·DNS·server·software,·and·this·server·software·should |
| 207 | be·disabled·on·any·system | 207 | be·disabled·on·any·system |
| 208 | on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_ | 208 | on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_isolation">Isolate·DNS·from·Other·Services |
| 209 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server | ||
| 210 | from·interfering·with·other·services.·This·is·done·both·to·protect·the | ||
| 211 | remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct | ||
| 212 | attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail | ||
| 213 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package: | ||
| 214 | <pre>$·sudo·yum·install·bind-chroot</pre> | ||
| 215 | Place·a·valid·named.conf·file·inside·the·chroot·jail: | ||
| 216 | <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf | ||
| 217 | $·sudo·chown·root:root·/var/named/chroot/etc/named.conf | ||
| 218 | $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre> | ||
| 219 | Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the | ||
| 220 | options·directive.·If·your·<code>named.conf</code>·includes: | ||
| 221 | <pre>options·{ | ||
| 222 | directory·"/path/to/DIRNAME·"; | ||
| 223 | ... | ||
| 224 | }</pre> | ||
| 225 | then·copy·that·directory·and·its·contents·from·the·original·zone·directory: | ||
| 226 | <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre> | ||
| 227 | Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>: | ||
| 228 | <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers | ||
| 229 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is | ||
| 230 | a·high-risk·service·which·must·frequently·be·made·available·to·the·entire | ||
| 231 | Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by | ||
| 232 | systems·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_protection">Protect·DNS·Data·from·Tampering·or·Attack | ||
| 209 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_protection">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·DNS·configuration·options·which·make·it | 233 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_protection">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·DNS·configuration·options·which·make·it |
| 210 | more·difficult·for·attackers·to·gain·access·to·private·DNS·data·or·to·modify | 234 | more·difficult·for·attackers·to·gain·access·to·private·DNS·data·or·to·modify |
| 211 | DNS·data.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">Run·Separate·DNS·Servers·for·External·and·Internal·Queries | 235 | DNS·data.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">Run·Separate·DNS·Servers·for·External·and·Internal·Queries |
| 212 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Is·it·possible·to·run·external·and·internal·nameservers·on | 236 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Is·it·possible·to·run·external·and·internal·nameservers·on |
| 213 | separate·systems?·If·so,·follow·the·configuration·guidance·in·this·section.·On | 237 | separate·systems?·If·so,·follow·the·configuration·guidance·in·this·section.·On |
| 214 | the·external·nameserver,·edit·<code>/etc/named.conf</code>·to·add·or·correct·the | 238 | the·external·nameserver,·edit·<code>/etc/named.conf</code>·to·add·or·correct·the |
| 215 | following·directives: | 239 | following·directives: |
| Offset 257, 39 lines modified | Offset 281, 15 lines modified | ||
| 257 | view·"external-view"·{ | 281 | view·"external-view"·{ |
| 258 | ··match-clients·{·any;·}; | 282 | ··match-clients·{·any;·}; |
| 259 | ··recursion·no; | 283 | ··recursion·no; |
| 260 | ··zone·"example.com·"·IN·{ | 284 | ··zone·"example.com·"·IN·{ |
| 261 | ····... | 285 | ····... |
| 262 | ··}; | 286 | ··}; |
| 263 | };</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_partition_with_views"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_d | 287 | };</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_partition_with_views"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dns_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dns_server">Disable·DNS·Server |
| 264 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server | ||
| 265 | from·interfering·with·other·services.·This·is·done·both·to·protect·the | ||
| 266 | remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct | ||
| 267 | attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail | ||
| 268 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package: | ||
| 269 | <pre>$·sudo·yum·install·bind-chroot</pre> | ||
| 270 | Place·a·valid·named.conf·file·inside·the·chroot·jail: | ||
| 271 | <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf | ||
| 272 | $·sudo·chown·root:root·/var/named/chroot/etc/named.conf | ||
| 273 | $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre> | ||
| 274 | Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the | ||
| 275 | options·directive.·If·your·<code>named.conf</code>·includes: | ||
| 276 | <pre>options·{ | ||
| 277 | directory·"/path/to/DIRNAME·"; | ||
| 278 | ... | ||
| 279 | }</pre> | ||
| 280 | then·copy·that·directory·and·its·contents·from·the·original·zone·directory: | ||
| 281 | <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre> | ||
| 282 | Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>: | ||
| 283 | <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers | ||
| 284 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is | ||
| 285 | a·high-risk·service·which·must·frequently·be·made·available·to·the·entire | ||
| 286 | Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by | ||
| 287 | systems·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dns_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dns_server">Disable·DNS·Server | ||
| 288 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dns_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DNS·software·should·be·disabled·on·any·systems·which·does·not | 288 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dns_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DNS·software·should·be·disabled·on·any·systems·which·does·not |
| 289 | need·to·be·a·nameserver.·Note·that·the·BIND·DNS·server·software·is | 289 | need·to·be·a·nameserver.·Note·that·the·BIND·DNS·server·software·is |
| 290 | not·installed·on·Red·Hat·Enterprise·Linux·7·by·default.·The·remainder·of·this·section | 290 | not·installed·on·Red·Hat·Enterprise·Linux·7·by·default.·The·remainder·of·this·section |
| 291 | discusses·secure·configuration·of·systems·which·must·be | 291 | discusses·secure·configuration·of·systems·which·must·be |
| 292 | nameservers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ldap">LDAP | 292 | nameservers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ldap">LDAP |
| 293 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>LDAP·is·a·popular·directory·service,·that·is,·a | 293 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>LDAP·is·a·popular·directory·service,·that·is,·a |
| 294 | standardized·way·of·looking·up·information·from·a·central·database. | 294 | standardized·way·of·looking·up·information·from·a·central·database. |
| Offset 1056, 30 lines modified | Offset 1056, 30 lines modified | ||
| 1056 | include·setuid·programs·may·provide·local·attackers·a·potential·path·to | 1056 | include·setuid·programs·may·provide·local·attackers·a·potential·path·to |
| 1057 | privilege·escalation.·Packages·that·include·network·services·may·give | 1057 | privilege·escalation.·Packages·that·include·network·services·may·give |
| 1058 | this·opportunity·to·network-based·attackers.·Packages·that·include | 1058 | this·opportunity·to·network-based·attackers.·Packages·that·include |
| 1059 | programs·which·are·predictably·executed·by·local·users·(e.g.·after | 1059 | programs·which·are·predictably·executed·by·local·users·(e.g.·after |
| 1060 | graphical·login)·may·provide·opportunities·for·trojan·horses·or·other | 1060 | graphical·login)·may·provide·opportunities·for·trojan·horses·or·other |
| 1061 | attack·code·to·be·run·undetected.·The·number·of·software·packages | 1061 | attack·code·to·be·run·undetected.·The·number·of·software·packages |
| 1062 | installed·on·a·system·can·almost·always·be·significantly·pruned·to·include | 1062 | installed·on·a·system·can·almost·always·be·significantly·pruned·to·include |
| 1063 | only·the·software·for·which·there·is·an·environmental·or·operational·need.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-minimize-software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle- | 1063 | only·the·software·for·which·there·is·an·environmental·or·operational·need.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-minimize-software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-least-privilege"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-least-privilege">Least·Privilege |
| 1064 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-use-security-tools">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Several·tools·exist·which·can·be·effectively·used·to·improve·a·system's | ||
| 1065 | resistance·to·and·detection·of·unknown·attacks.·These·tools·can·improve | ||
| 1066 | robustness·against·attack·at·the·cost·of·relatively·little·configuration | ||
| 1067 | effort.·In·particular,·this·guide·recommends·and·discusses·the·use·of | ||
| 1068 | host-based·firewalling,·SELinux·for·protection·against | ||
| 1069 | vulnerable·services,·and·a·logging·and·auditing·infrastructure·for | ||
| 1070 | detection·of·problems.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-use-security-tools"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-least-privilege"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-least-privilege">Least·Privilege | ||
| 1071 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-least-privilege">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Grant·the·least·privilege·necessary·for·user·accounts·and·software·to·perform·tasks. | 1064 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-least-privilege">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Grant·the·least·privilege·necessary·for·user·accounts·and·software·to·perform·tasks. |
| 1072 | For·example,·<code>sudo</code>·can·be·implemented·to·limit·authorization·to·super·user | 1065 | For·example,·<code>sudo</code>·can·be·implemented·to·limit·authorization·to·super·user |
| 1073 | accounts·on·the·system·only·to·designated·personnel.·Another·example·is·to·limit | 1066 | accounts·on·the·system·only·to·designated·personnel.·Another·example·is·to·limit |
| 1074 | logins·on·server·systems·to·only·those·administrators·who·need·to·log·into·them·in | 1067 | logins·on·server·systems·to·only·those·administrators·who·need·to·log·into·them·in |
| 1075 | order·to·perform·administration·tasks.·Using·SELinux·also·follows·the·principle·of | 1068 | order·to·perform·administration·tasks.·Using·SELinux·also·follows·the·principle·of |
| 1076 | least·privilege:·SELinux·policy·can·confine·software·to·perform·only·actions·on·the | 1069 | least·privilege:·SELinux·policy·can·confine·software·to·perform·only·actions·on·the |
| 1077 | system·that·are·specifically·allowed.·This·can·be·far·more·restrictive·than·the | 1070 | system·that·are·specifically·allowed.·This·can·be·far·more·restrictive·than·the |
| 1078 | actions·permissible·by·the·traditional·Unix·permissions·model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-se | 1071 | actions·permissible·by·the·traditional·Unix·permissions·model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-use-security-tools"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-use-security-tools"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-use-security-tools">Configure·Security·Tools·to·Improve·System·Robustness |
| 1072 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-use-security-tools">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Several·tools·exist·which·can·be·effectively·used·to·improve·a·system's | ||
| 1073 | resistance·to·and·detection·of·unknown·attacks.·These·tools·can·improve | ||
| 1074 | robustness·against·attack·at·the·cost·of·relatively·little·configuration | ||
| 1075 | effort.·In·particular,·this·guide·recommends·and·discusses·the·use·of | ||
| 1076 | host-based·firewalling,·SELinux·for·protection·against | ||
| 1077 | vulnerable·services,·and·a·logging·and·auditing·infrastructure·for | ||
| Max diff block lines reached; 56972/86580 bytes (65.80%) of diff not shown. | |||
| Offset 58, 27 lines modified | Offset 58, 27 lines modified | ||
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·OpenStack·Platform·7·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·OpenStack·Platform·7·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·OpenStack·Platform·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·OpenStack·Platform·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·OpenStack·Platform·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·OpenStack·Platform·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack | 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><small>contains·8·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_ | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><small>contains·8·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_nova_tls"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_nova_tls"·id="guide-tree-leaf-idm4318"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_nova_tls">Check-Block-05:·Does·cinder·communicates·with·nova·over·TLS? |
| 66 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_ | 66 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nova_tls">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol. |
| 67 | <br> | 67 | <br> |
| 68 | <br> | 68 | <br> |
| 69 | Pass:·If·value·of·parameter· | 69 | Pass:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False. |
| 70 | <br> | 70 | <br> |
| 71 | <br> | 71 | <br> |
| 72 | Fail:·If·value·of·parameter· | 72 | Fail:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 73 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 73 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 74 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 74 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 75 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4328">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4328"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT· | 75 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4328">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4328"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·nova_api_insecure·False |
| 76 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·id="guide-tree-leaf-idm4329"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions">Check-Block-07:·Is·NAS·operating·in·secure·enviornment? | 76 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·id="guide-tree-leaf-idm4329"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions">Check-Block-07:·Is·NAS·operating·in·secure·enviornment? |
| 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Cinder·supports·an·NFS·driver·which·works·differently·than·a·traditional·block·storage·driver.·The·NFS·driver·does·not·actually·allow·an·instance·to·access·a·storage·device·at·the·block·level.·Instead,·files·are·created·on·an·NFS·share·and·mapped·to·instances,·which·emulates·a·block·device.·Cinder·supports·secure·configuration·for·such·files·by·controlling·the·file·permissions·when·cinder·volumes·are·created.·Cinder·configuration·can·also·control·whether·file·operations·are·run·as·the·root·user·or·the·current·OpenStack·process·user. | 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Cinder·supports·an·NFS·driver·which·works·differently·than·a·traditional·block·storage·driver.·The·NFS·driver·does·not·actually·allow·an·instance·to·access·a·storage·device·at·the·block·level.·Instead,·files·are·created·on·an·NFS·share·and·mapped·to·instances,·which·emulates·a·block·device.·Cinder·supports·secure·configuration·for·such·files·by·controlling·the·file·permissions·when·cinder·volumes·are·created.·Cinder·configuration·can·also·control·whether·file·operations·are·run·as·the·root·user·or·the·current·OpenStack·process·user. |
| 78 | <br> | 78 | <br> |
| 79 | <br> | 79 | <br> |
| 80 | Pass:·If·value·of·parameter·nas_secure_file_permissions·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·auto,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·and·use·secure·file·permissions.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·insecure·method·of·handling·file·permissions.·If·value·of·parameter·nas_secure_file_operations·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·“auto”,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·be·secure·and·do·NOT·run·as·the·root·user.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·method·of·running·operations·as·the·root·user.·For·new·installations,·a·“marker·file”·is·written·so·that·subsequent·restarts·of·cinder·will·know·what·the·original·determination·had·been. | 80 | Pass:·If·value·of·parameter·nas_secure_file_permissions·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·auto,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·and·use·secure·file·permissions.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·insecure·method·of·handling·file·permissions.·If·value·of·parameter·nas_secure_file_operations·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·“auto”,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·be·secure·and·do·NOT·run·as·the·root·user.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·method·of·running·operations·as·the·root·user.·For·new·installations,·a·“marker·file”·is·written·so·that·subsequent·restarts·of·cinder·will·know·what·the·original·determination·had·been. |
| Offset 96, 15 lines modified | Offset 96, 32 lines modified | ||
| 96 | <br> | 96 | <br> |
| 97 | <br> | 97 | <br> |
| 98 | Fail:·If·value·of·parameter·auth_strategy·under·[DEFAULT]·section·is·set·to·noauth.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 98 | Fail:·If·value·of·parameter·auth_strategy·under·[DEFAULT]·section·is·set·to·noauth.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 99 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 99 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 100 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 100 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 101 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4349">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4349"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·auth_strategy·keystone | 101 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4349">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4349"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·auth_strategy·keystone |
| 102 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_ | 102 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_tls_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_tls_enabled"·id="guide-tree-leaf-idm4350"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_tls_enabled">Check-Block-04:·Is·TLS·enabled·for·authentication? |
| 103 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_tls_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol. | ||
| 104 | <br> | ||
| 105 | <br> | ||
| 106 | Pass:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·https,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·Identity·API·endpoint·starting·with·https://·and·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·False. | ||
| 107 | <br> | ||
| 108 | <br> | ||
| 109 | Fail:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·http,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·not·set·to·Identity·API·endpoint·starting·with·https://·or·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 110 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 111 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 112 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4360">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4360"><pre><code>OLD_IDENTITY_URL=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri) | ||
| 113 | NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}" | ||
| 114 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI | ||
| 115 | OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri) | ||
| 116 | NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}" | ||
| 117 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI | ||
| 118 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_file_perms"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_file_perms"·id="guide-tree-leaf-idm4361"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_file_perms">Check-Block-02:·Are·strict·permissions·set·for·Compute·configuration·files? | ||
| 103 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_perms">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Similar·to·the·previous·check,·it·is·recommended·to·set·strict·access·permissions·for·such·configuration·files. | 119 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_perms">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Similar·to·the·previous·check,·it·is·recommended·to·set·strict·access·permissions·for·such·configuration·files. |
| 104 | <br> | 120 | <br> |
| 105 | <br> | 121 | <br> |
| 106 | Run·the·following·commands: | 122 | Run·the·following·commands: |
| 107 | <br> | 123 | <br> |
| 108 | <br> | 124 | <br> |
| 109 | <code> | 125 | <code> |
| Offset 138, 49 lines modified | Offset 155, 19 lines modified | ||
| 138 | other········--- | 155 | other········--- |
| 139 | </code> | 156 | </code> |
| 140 | <br> | 157 | <br> |
| 141 | <br> | 158 | <br> |
| 142 | Fail:·If·permissions·are·not·set·to·at·least·640.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 159 | Fail:·If·permissions·are·not·set·to·at·least·640.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 143 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 160 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 144 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 161 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 145 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm43 | 162 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4388">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4388"><pre><code>chmod·640·/etc/cinder/cinder.conf |
| 146 | chmod·640·/etc/cinder/api-paste.ini | 163 | chmod·640·/etc/cinder/api-paste.ini |
| 147 | chmod·640·/etc/cinder/policy.json | 164 | chmod·640·/etc/cinder/policy.json |
| 148 | chmod·640·/etc/cinder/rootwrap.conf | 165 | chmod·640·/etc/cinder/rootwrap.conf |
| 149 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_ | 166 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_file_ownership"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_file_ownership"·id="guide-tree-leaf-idm4389"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_file_ownership">Check-Block-01:·Is·user/group·ownership·of·config·files·set·to·root/cinder? |
| 150 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_tls_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol. | ||
| 151 | <br> | ||
| 152 | <br> | ||
| 153 | Pass:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·https,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·Identity·API·endpoint·starting·with·https://·and·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·False. | ||
| 154 | <br> | ||
| 155 | <br> | ||
| 156 | Fail:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·http,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·not·set·to·Identity·API·endpoint·starting·with·https://·or·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 157 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 158 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 159 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4388">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4388"><pre><code>OLD_IDENTITY_URL=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri) | ||
| 160 | NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}" | ||
| 161 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI | ||
| 162 | OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri) | ||
| 163 | NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}" | ||
| 164 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI | ||
| 165 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_nova_tls"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_nova_tls"·id="guide-tree-leaf-idm4389"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_nova_tls">Check-Block-05:·Does·cinder·communicates·with·nova·over·TLS? | ||
| 166 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nova_tls">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol. | ||
| 167 | <br> | ||
| 168 | <br> | ||
| 169 | Pass:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False. | ||
| 170 | <br> | ||
| 171 | <br> | ||
| 172 | Fail:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 173 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 174 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 175 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4399">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4399"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·nova_api_insecure·False | ||
| 176 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_file_ownership"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_file_ownership"·id="guide-tree-leaf-idm4400"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_file_ownership">Check-Block-01:·Is·user/group·ownership·of·config·files·set·to·root/cinder? | ||
| 177 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_ownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Configuration·files·contain·critical·parameters·and·information·required·for·smooth·functioning·of·the·component.·If·an·unprivileged·user,·either·intentionally·or·accidentally,·modifies·or·deletes·any·of·the·parameters·or·the·file·itself·then·it·would·cause·severe·availability·issues·resulting·in·a·denial·of·service·to·the·other·end·users.·Thus·user·ownership·of·such·critical·configuration·files·must·be·set·to·root·and·group·ownership·must·be·set·to·cinder. | 167 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_ownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Configuration·files·contain·critical·parameters·and·information·required·for·smooth·functioning·of·the·component.·If·an·unprivileged·user,·either·intentionally·or·accidentally,·modifies·or·deletes·any·of·the·parameters·or·the·file·itself·then·it·would·cause·severe·availability·issues·resulting·in·a·denial·of·service·to·the·other·end·users.·Thus·user·ownership·of·such·critical·configuration·files·must·be·set·to·root·and·group·ownership·must·be·set·to·cinder. |
| 178 | <br> | 168 | <br> |
| 179 | <br> | 169 | <br> |
| 180 | Run·the·following·commands: | 170 | Run·the·following·commands: |
| 181 | <br> | 171 | <br> |
| 182 | <br> | 172 | <br> |
| 183 | <code> | 173 | <code> |
| Offset 196, 47 lines modified | Offset 183, 144 lines modified | ||
| 196 | <br> | 183 | <br> |
| 197 | Pass:·If·user·and·group·ownership·of·all·these·config·files·is·set·to·root·and·cinder·respectively.·The·above·commands·show·output·of·root·cinder. | 184 | Pass:·If·user·and·group·ownership·of·all·these·config·files·is·set·to·root·and·cinder·respectively.·The·above·commands·show·output·of·root·cinder. |
| 198 | <br> | 185 | <br> |
| 199 | <br> | 186 | <br> |
| 200 | Fail:·If·the·above·commands·does·not·return·any·output·as·the·user·and·group·ownership·might·have·set·to·any·user·other·than·root·or·any·group·other·than·cinder.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 187 | Fail:·If·the·above·commands·does·not·return·any·output·as·the·user·and·group·ownership·might·have·set·to·any·user·other·than·root·or·any·group·other·than·cinder.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 201 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 188 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 202 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 189 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 203 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm44 | 190 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4407">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4407"><pre><code>for·file·in·/etc/cinder/cinder.conf·\ |
| 204 | » » /etc/cinder/api-paste.ini·\ | 191 | » » /etc/cinder/api-paste.ini·\ |
| 205 | » » /etc/cinder/policy.json·\ | 192 | » » /etc/cinder/policy.json·\ |
| 206 | » » /etc/cinder/rootwrap.conf;·do | 193 | » » /etc/cinder/rootwrap.conf;·do |
| 207 | » chown·root·$file | 194 | » chown·root·$file |
| 208 | » chgrp·cinder·$file | 195 | » chgrp·cinder·$file |
| 209 | done | 196 | done |
| 210 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_osapi_max_request_body"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_osapi_max_request_body"·id="guide-tree-leaf-idm44 | 197 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_osapi_max_request_body"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_osapi_max_request_body"·id="guide-tree-leaf-idm4408"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_osapi_max_request_body">Check-Block-08:·Is·max·size·for·the·body·of·a·request·set·to·default·(114688)? |
| 211 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_osapi_max_request_body">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·maximum·body·size·per·request·is·not·defined,·the·attacker·can·craft·an·arbitrary·osapi·request·of·large·size·causing·the·service·to·crash·and·finally·resulting·in·Denial·Of·Service·attack.·Assigning·the·maximum·value·ensures·that·any·malicious·oversized·request·gets·blocked·ensuring·continued·availability·of·the·service. | 198 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_osapi_max_request_body">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·maximum·body·size·per·request·is·not·defined,·the·attacker·can·craft·an·arbitrary·osapi·request·of·large·size·causing·the·service·to·crash·and·finally·resulting·in·Denial·Of·Service·attack.·Assigning·the·maximum·value·ensures·that·any·malicious·oversized·request·gets·blocked·ensuring·continued·availability·of·the·service. |
| Max diff block lines reached; 42602/70832 bytes (60.15%) of diff not shown. | |||
| Offset 1081, 22 lines modified | Offset 1081, 43 lines modified | ||
| 1081 | ····-·CCE-27228-6 | 1081 | ····-·CCE-27228-6 |
| 1082 | ····-·NIST-800-53-IA-5(b) | 1082 | ····-·NIST-800-53-IA-5(b) |
| 1083 | ····-·NIST-800-53-IA-5(c) | 1083 | ····-·NIST-800-53-IA-5(c) |
| 1084 | ····-·NIST-800-53-IA-5(1)(c) | 1084 | ····-·NIST-800-53-IA-5(1)(c) |
| 1085 | ····-·NIST-800-53-IA-7 | 1085 | ····-·NIST-800-53-IA-7 |
| 1086 | ····-·PCI-DSS-Req-8.2.1 | 1086 | ····-·PCI-DSS-Req-8.2.1 |
| 1087 | ····-·DISA-STIG-RHEL-06-000063 | 1087 | ····-·DISA-STIG-RHEL-06-000063 |
| 1088 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_ | 1088 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth"·id="guide-tree-leaf-idm65094"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.1"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth">Set·Password·Hashing·Algorithm·in·/etc/pam.d/system-auth |
| 1089 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>In·<code>/etc/pam.d/system-auth</code>,·the·<code>password</code>·section·of | ||
| 1090 | the·file·controls·which·PAM·modules·execute·during·a·password·change. | ||
| 1091 | Set·the·<code>pam_unix.so</code>·module·in·the | ||
| 1092 | <code>password</code>·section·to·include·the·argument·<code>sha512</code>,·as·shown·below: | ||
| 1093 | <pre>password····sufficient····pam_unix.so·sha512·<i>other·arguments...</i></pre> | ||
| 1094 | This·will·help·ensure·when·local·users·change·their·passwords,·hashes·for·the·new | ||
| 1095 | passwords·will·be·generated·using·the·SHA-512·algorithm. | ||
| 1096 | This·is·the·default.</p><span·class="label·label-primary">Rationale:</span><p>Using·a·stronger·hashing·algorithm·makes·password·cracking·attacks·more·difficult.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 1097 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 1098 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26303-8">CCE-26303-8</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 1099 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000803</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000120</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000062</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50375r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm65115">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65115"><pre><code> | ||
| 1100 | AUTH_FILES[0]="/etc/pam.d/system-auth" | ||
| 1101 | AUTH_FILES[1]="/etc/pam.d/password-auth" | ||
| 1102 | for·pamFile·in·"${AUTH_FILES[@]}" | ||
| 1103 | do | ||
| 1104 | » if·!·grep·-q·"^password.*sufficient.*pam_unix.so.*sha512"·$pamFile;·then | ||
| 1105 | » » sed·-i·--follow-symlinks·"/^password.*sufficient.*pam_unix.so/·s/$/·sha512/"·$pamFile | ||
| 1106 | » fi | ||
| 1107 | done | ||
| 1108 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf"·id="guide-tree-leaf-idm65120"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.1"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf">Set·Password·Hashing·Algorithm·in·/etc/libuser.conf | ||
| 1089 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>In·<code>/etc/libuser.conf</code>,·add·or·correct·the·following·line·in·its | 1109 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>In·<code>/etc/libuser.conf</code>,·add·or·correct·the·following·line·in·its |
| 1090 | <code>[defaults]</code>·section·to·ensure·the·system·will·use·the·SHA-512 | 1110 | <code>[defaults]</code>·section·to·ensure·the·system·will·use·the·SHA-512 |
| 1091 | algorithm·for·password·hashing: | 1111 | algorithm·for·password·hashing: |
| 1092 | <pre>crypt_style·=·sha512</pre></p><span·class="label·label-primary">Rationale:</span><p>Using·a·stronger·hashing·algorithm·makes·password·cracking·attacks·more·difficult.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1112 | <pre>crypt_style·=·sha512</pre></p><span·class="label·label-primary">Rationale:</span><p>Using·a·stronger·hashing·algorithm·makes·password·cracking·attacks·more·difficult.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1093 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 1113 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 1094 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27229-4">CCE-27229-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1114 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27229-4">CCE-27229-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1095 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000803</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000120</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000064</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50378r1_rule</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm651 | 1115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000803</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000120</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000064</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50378r1_rule</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm65137">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65137"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Set·Password·Hashing·Algorithm·in·/etc/libuser.conf |
| 1096 | ··lineinfile: | 1116 | ··lineinfile: |
| 1097 | ····dest:·/etc/libuser.conf | 1117 | ····dest:·/etc/libuser.conf |
| 1098 | ····insertafter:·"^.default]" | 1118 | ····insertafter:·"^.default]" |
| 1099 | ····regexp:·^#?crypt_style | 1119 | ····regexp:·^#?crypt_style |
| 1100 | ····line:·crypt_style·=·sha512 | 1120 | ····line:·crypt_style·=·sha512 |
| 1101 | ····state:·present | 1121 | ····state:·present |
| 1102 | ··tags: | 1122 | ··tags: |
| Offset 1108, 35 lines modified | Offset 1129, 14 lines modified | ||
| 1108 | ····-·CCE-27229-4 | 1129 | ····-·CCE-27229-4 |
| 1109 | ····-·NIST-800-53-IA-5(b) | 1130 | ····-·NIST-800-53-IA-5(b) |
| 1110 | ····-·NIST-800-53-IA-5(c) | 1131 | ····-·NIST-800-53-IA-5(c) |
| 1111 | ····-·NIST-800-53-IA-5(1)(c) | 1132 | ····-·NIST-800-53-IA-5(1)(c) |
| 1112 | ····-·NIST-800-53-IA-7 | 1133 | ····-·NIST-800-53-IA-7 |
| 1113 | ····-·PCI-DSS-Req-8.2.1 | 1134 | ····-·PCI-DSS-Req-8.2.1 |
| 1114 | ····-·DISA-STIG-RHEL-06-000064 | 1135 | ····-·DISA-STIG-RHEL-06-000064 |
| 1115 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth"·id="guide-tree-leaf-idm65116"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.1"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth">Set·Password·Hashing·Algorithm·in·/etc/pam.d/system-auth | ||
| 1116 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>In·<code>/etc/pam.d/system-auth</code>,·the·<code>password</code>·section·of | ||
| 1117 | the·file·controls·which·PAM·modules·execute·during·a·password·change. | ||
| 1118 | Set·the·<code>pam_unix.so</code>·module·in·the | ||
| 1119 | <code>password</code>·section·to·include·the·argument·<code>sha512</code>,·as·shown·below: | ||
| 1120 | <pre>password····sufficient····pam_unix.so·sha512·<i>other·arguments...</i></pre> | ||
| 1121 | This·will·help·ensure·when·local·users·change·their·passwords,·hashes·for·the·new | ||
| 1122 | passwords·will·be·generated·using·the·SHA-512·algorithm. | ||
| 1123 | This·is·the·default.</p><span·class="label·label-primary">Rationale:</span><p>Using·a·stronger·hashing·algorithm·makes·password·cracking·attacks·more·difficult.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 1124 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 1125 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26303-8">CCE-26303-8</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 1126 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000803</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000120</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000062</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50375r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm65137">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65137"><pre><code> | ||
| 1127 | AUTH_FILES[0]="/etc/pam.d/system-auth" | ||
| 1128 | AUTH_FILES[1]="/etc/pam.d/password-auth" | ||
| 1129 | for·pamFile·in·"${AUTH_FILES[@]}" | ||
| 1130 | do | ||
| 1131 | » if·!·grep·-q·"^password.*sufficient.*pam_unix.so.*sha512"·$pamFile;·then | ||
| 1132 | » » sed·-i·--follow-symlinks·"/^password.*sufficient.*pam_unix.so/·s/$/·sha512/"·$pamFile | ||
| 1133 | » fi | ||
| 1134 | done | ||
| 1135 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.2"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.2">8.2.2 | 1136 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.2"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.2">8.2.2 |
| 1136 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.2.2">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Verify·user·identity·before</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3">8.2.3 | 1137 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.2.2">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Verify·user·identity·before</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3">8.2.3 |
| 1137 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.2.3">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Passwords/phrases·must·meet</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.a"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.a">8.2.3.a | 1138 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.2.3">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Passwords/phrases·must·meet</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.a"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.a">8.2.3.a |
| 1138 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.a">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>For·a·sample·of·system·components,·inspect·system</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.b"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.b">8.2.3.b | 1139 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.a">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>For·a·sample·of·system·components,·inspect·system</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.b"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.b">8.2.3.b |
| 1139 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.b">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm65160"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_empty_passwords">Prevent·Log·In·to·Accounts·With·Empty·Password | 1140 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.b">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm65160"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.2.3"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_empty_passwords">Prevent·Log·In·to·Accounts·With·Empty·Password |
| 1140 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication | 1141 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication |
| 1141 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log | 1142 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log |
| Offset 1589, 41 lines modified | Offset 1589, 28 lines modified | ||
| 1589 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.6">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Where·other·authentication</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8."><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.a"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.6.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.a">8.6.a | 1589 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.6">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Where·other·authentication</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8."><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.a"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.6.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.a">8.6.a |
| 1590 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.6.a">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Examine·authentication·policies·and·procedures·to·verify</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.b"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.6.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.b">8.6.b | 1590 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.6.a">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Examine·authentication·policies·and·procedures·to·verify</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.b"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.6.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.b">8.6.b |
| 1591 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.6.b">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Interview·security·personnel·to·verify·authentication</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.c"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.6.c"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.c">8.6.c | 1591 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.6.b">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Interview·security·personnel·to·verify·authentication</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.c"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.6.c"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.6.c">8.6.c |
| 1592 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.6.c">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Examine·system·configuration·settings·and/or·physical</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6.c"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.7"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.7"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8."><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.7">8.7 | 1592 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.6.c">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Examine·system·configuration·settings·and/or·physical</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6.c"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.6"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.7"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.7"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8."><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.7">8.7 |
| 1593 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.7">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·access·to·any·database</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8."><td·style="padding-left:·38px"><small>contains·9·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.a"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.7.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.a">8.7.a | 1593 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.7">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·access·to·any·database</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8."><td·style="padding-left:·38px"><small>contains·9·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.a"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.7.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.a">8.7.a |
| 1594 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.7.a">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Review·database·and·application·configuration·settings</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.b"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.7.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.b">8.7.b | 1594 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.7.a">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Review·database·and·application·configuration·settings</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7.a"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.b"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.7.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.b">8.7.b |
| 1595 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.7.b">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Examine·database·and·application·configuration·settings·to</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.c"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.7.c"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.c">8.7.c | 1595 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.7.b">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Examine·database·and·application·configuration·settings·to</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7.b"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.c"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-8.7.c"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-8.7.c">8.7.c |
| 1596 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.7.c">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Examine·database·access·control·settings·and·database</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7.c"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"><small>contains·9·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 1596 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-8.7.c">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Examine·database·access·control·settings·and·database</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7.c"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7"><td·style="padding-left:·57px"><small>contains·9·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow"·id="guide-tree-leaf-idm65467"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7.c"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow">Verify·Permissions·on·shadow·File |
| 1597 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_userowner_shadow_file">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 1598 | ·············· | ||
| 1599 | ····To·properly·set·the·owner·of·<code>/etc/shadow</code>,·run·the·command: | ||
| 1600 | ····<pre·xml:space="preserve">$·sudo·chown·root·/etc/shadow·</pre> | ||
| 1601 | ············</p><span·class="label·label-primary">Rationale:</span><p>The·<code>/etc/shadow</code>·file·contains·the·list·of·local | ||
| 1602 | system·accounts·and·stores·password·hashes.·Protection·of·this·file·is | ||
| 1603 | critical·for·system·security.·Failure·to·give·ownership·of·this·file | ||
| 1604 | to·root·provides·the·designated·owner·with·access·to·sensitive·information | ||
| 1605 | which·could·weaken·the·system·security·posture.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 1606 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 1607 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26947-2">CCE-26947-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 1608 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000225</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000033</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50303r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm65481">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65481"><pre><code>chown·root·/etc/shadow | ||
| 1609 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow"·id="guide-tree-leaf-idm65486"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.7.c"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow">Verify·Permissions·on·shadow·File | ||
| 1610 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 1597 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 1611 | ·············· | 1598 | ·············· |
| 1612 | ····To·properly·set·the·permissions·of·<code>/etc/shadow</code>,·run·the·command: | 1599 | ····To·properly·set·the·permissions·of·<code>/etc/shadow</code>,·run·the·command: |
| 1613 | ····<pre·xml:space="preserve">$·sudo·chmod·0000·/etc/shadow</pre> | 1600 | ····<pre·xml:space="preserve">$·sudo·chmod·0000·/etc/shadow</pre> |
| 1614 | ············</p><span·class="label·label-primary">Rationale:</span><p>The·<code>/etc/shadow</code>·file·contains·the·list·of·local | 1601 | ············</p><span·class="label·label-primary">Rationale:</span><p>The·<code>/etc/shadow</code>·file·contains·the·list·of·local |
| 1615 | system·accounts·and·stores·password·hashes.·Protection·of·this·file·is | 1602 | system·accounts·and·stores·password·hashes.·Protection·of·this·file·is |
| 1616 | critical·for·system·security.·Failure·to·give·ownership·of·this·file | 1603 | critical·for·system·security.·Failure·to·give·ownership·of·this·file |
| 1617 | to·root·provides·the·designated·owner·with·access·to·sensitive·information | 1604 | to·root·provides·the·designated·owner·with·access·to·sensitive·information |
| 1618 | which·could·weaken·the·system·security·posture.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1605 | which·could·weaken·the·system·security·posture.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1619 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 1606 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 1620 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26992-8">CCE-26992-8</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1607 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26992-8">CCE-26992-8</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1621 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000225</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000035</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50305r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm65 | 1608 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000225</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000035</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50305r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm65481">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65481"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>chmod·0000·/etc/shadow |
| 1622 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm65 | 1609 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm65482">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65482"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Ensure·permission·0000·on·/etc/shadow |
| 1623 | ··file: | 1610 | ··file: |
| 1624 | ····path="{{item}}" | 1611 | ····path="{{item}}" |
| 1625 | ····mode=0000 | 1612 | ····mode=0000 |
| 1626 | ··with_items: | 1613 | ··with_items: |
| 1627 | ····-·/etc/shadow | 1614 | ····-·/etc/shadow |
| 1628 | ··tags: | 1615 | ··tags: |
| 1629 | ····-·file_permissions_etc_shadow | 1616 | ····-·file_permissions_etc_shadow |
| Offset 1631, 36 lines modified | Offset 1618, 36 lines modified | ||
| 1631 | ····-·configure_strategy | 1618 | ····-·configure_strategy |
| 1632 | ····-·low_complexity | 1619 | ····-·low_complexity |
| 1633 | ····-·low_disruption | 1620 | ····-·low_disruption |
| 1634 | ····-·CCE-26992-8 | 1621 | ····-·CCE-26992-8 |
| 1635 | ····-·NIST-800-53-AC-6 | 1622 | ····-·NIST-800-53-AC-6 |
| Max diff block lines reached; 321881/353315 bytes (91.10%) of diff not shown. | |||
| Offset 57, 15 lines modified | Offset 57, 15 lines modified | ||
| 57 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_im[·...·truncated·by·diffoscope;·len:·1051,·SHA1:·16d11bb4d21e01e6ba501025710e90c7dff143f7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 230, 97 lines modified | Offset 230, 14 lines modified | ||
| 230 | class·remove_httpd·{ | 230 | class·remove_httpd·{ |
| 231 | ··package·{·'httpd': | 231 | ··package·{·'httpd': |
| 232 | ····ensure·=>·'purged', | 232 | ····ensure·=>·'purged', |
| 233 | ··} | 233 | ··} |
| 234 | } | 234 | } |
| 235 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29170">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29170"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 235 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29170">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29170"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 236 | package·--remove=httpd | 236 | package·--remove=httpd |
| 237 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 238 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 239 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 240 | parameters·from·a·server. | ||
| 241 | <br><br> | ||
| 242 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 243 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 244 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 245 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 246 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 247 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 248 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 249 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 250 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29707"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 251 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 252 | the·dhcp·package·can·be·uninstalled. | ||
| 253 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 254 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 255 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 256 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 257 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27120-5">CCE-27120-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 258 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29716">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29716"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 259 | # | ||
| 260 | #·Example·Call(s): | ||
| 261 | # | ||
| 262 | #·····package_remove·telnet-server | ||
| 263 | # | ||
| 264 | function·package_remove·{ | ||
| 265 | #·Load·function·arguments·into·local·variables | ||
| 266 | local·package="$1" | ||
| 267 | #·Check·sanity·of·the·input | ||
| 268 | if·[·$#·-ne·"1"·] | ||
| 269 | then | ||
| 270 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 271 | ··echo·"Aborting." | ||
| 272 | ··exit·1 | ||
| 273 | fi | ||
| 274 | if·which·dnf·;·then | ||
| 275 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 276 | ····dnf·remove·-y·"$package" | ||
| 277 | ··fi | ||
| 278 | elif·which·yum·;·then | ||
| 279 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 280 | ····yum·remove·-y·"$package" | ||
| 281 | ··fi | ||
| 282 | elif·which·apt-get·;·then | ||
| 283 | ··apt-get·remove·-y·"$package" | ||
| 284 | else | ||
| 285 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 286 | ··echo·"Aborting." | ||
| 287 | ··exit·1 | ||
| 288 | fi | ||
| 289 | } | ||
| 290 | package_remove·dhcp | ||
| 291 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29718">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29718"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 292 | ··package: | ||
| 293 | ····name="{{item}}" | ||
| 294 | ····state=absent | ||
| 295 | ··with_items: | ||
| 296 | ····-·dhcp | ||
| 297 | ··tags: | ||
| 298 | ····-·package_dhcp_removed | ||
| 299 | ····-·medium_severity | ||
| 300 | ····-·disable_strategy | ||
| 301 | ····-·low_complexity | ||
| 302 | ····-·low_disruption | ||
| 303 | ····-·CCE-27120-5 | ||
| 304 | ····-·NIST-800-53-CM-7 | ||
| 305 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29719">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29719"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 306 | class·remove_dhcp·{ | ||
| 307 | ··package·{·'dhcp': | ||
| 308 | ····ensure·=>·'purged', | ||
| 309 | ··} | ||
| 310 | } | ||
| 311 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29720">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29720"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 312 | package·--remove=dhcp | ||
| 313 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | 237 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 314 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 238 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 315 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 239 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 316 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 240 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 317 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 241 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 318 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 242 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 319 | outside·world. | 243 | outside·world. |
| Offset 340, 15 lines modified | Offset 257, 15 lines modified | ||
| 340 | <br><br> | 257 | <br><br> |
| 341 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 258 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 342 | servers,·and·the·remainder·obtaining·time·information·from·those | 259 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 343 | internal·servers. | 260 | internal·servers. |
| 344 | <br><br> | 261 | <br><br> |
| 345 | More·information·on·how·to·configure·the·NTP·server·software, | 262 | More·information·on·how·to·configure·the·NTP·server·software, |
| 346 | including·configuration·of·cryptographic·authentication·for | 263 | including·configuration·of·cryptographic·authentication·for |
| 347 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 264 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29634"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 348 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 265 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 349 | ·········· | 266 | ·········· |
| 350 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 267 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 351 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 268 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 352 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 269 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| Max diff block lines reached; 1793763/1812990 bytes (98.94%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_im[·...·truncated·by·diffoscope;·len:·1051,·SHA1:·16d11bb4d21e01e6ba501025710e90c7dff143f7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 69, 31 lines modified | Offset 69, 31 lines modified | ||
| 69 | <br><br> | 69 | <br><br> |
| 70 | However,·there·are·some·FTP·server·configurations·which·may | 70 | However,·there·are·some·FTP·server·configurations·which·may |
| 71 | be·appropriate·for·some·environments,·particularly·those·which | 71 | be·appropriate·for·some·environments,·particularly·those·which |
| 72 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | 72 | allow·only·read-only·anonymous·access·as·a·means·of·downloading |
| 73 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | 73 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 75 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | 75 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or |
| 76 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_ | 76 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29014"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users |
| 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 78 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 79 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 80 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 81 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 82 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | 83 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> |
| 78 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | 84 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: |
| 79 | <pre>xferlog_enable=YES | 85 | <pre>xferlog_enable=YES |
| 80 | xferlog_std_format=NO | 86 | xferlog_std_format=NO |
| 81 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | 87 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to |
| 82 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | 88 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log |
| 83 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 89 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 84 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 90 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 85 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 91 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 86 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_r | 92 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 87 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 88 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 89 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 90 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 91 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 92 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | ||
| 93 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all | 93 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 94 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | 94 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service |
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 96 | ············ | 96 | ············ |
| 97 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: | 97 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 98 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> | 98 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 99 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue | 99 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| Offset 536, 22 lines modified | Offset 536, 21 lines modified | ||
| 536 | <br><br> | 536 | <br><br> |
| 537 | If·this·functionality·is·unnecessary,·comment·out·the·module: | 537 | If·this·functionality·is·unnecessary,·comment·out·the·module: |
| 538 | <pre>#LoadModule·cgi_module·modules/mod_cgi.so</pre> | 538 | <pre>#LoadModule·cgi_module·modules/mod_cgi.so</pre> |
| 539 | If·the·web·server·requires·the·use·of·CGI,·enable·<code>mod_cgi</code>.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 539 | If·the·web·server·requires·the·use·of·CGI,·enable·<code>mod_cgi</code>.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 540 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 540 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 541 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 541 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 542 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27362-3">CCE-27362-3</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_ | 542 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27362-3">CCE-27362-3</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_digest_authentication"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_digest_authentication"·id="guide-tree-leaf-idm29440"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_digest_authentication">Disable·HTTP·Digest·Authentication |
| 543 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_ | 543 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_digest_authentication">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>auth_digest</code>·module·provides·encrypted·authentication·sessions. |
| 544 | 544 | If·this·functionality·is·unnecessary,·comment·out·the·related·module: | |
| 545 | <pre>#LoadModule· | 545 | <pre>#LoadModule·auth_digest_module·modules/mod_auth_digest.so</pre></p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 546 | This·functionality·weakens·server·security·by·making·site·enumeration·easier.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | ||
| 547 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 546 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 548 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 547 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 549 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27 | 548 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27553-7">CCE-27553-7</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_server_activity_status"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_server_activity_status"·id="guide-tree-leaf-idm29447"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_server_activity_status">Disable·Server·Activity·Status |
| 550 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_server_activity_status">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>status</code>·module·provides·real-time·access·to·statistics·on·the·internal·operation·of | 549 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_server_activity_status">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>status</code>·module·provides·real-time·access·to·statistics·on·the·internal·operation·of |
| 551 | the·web·server.·This·may·constitute·an·unnecessary·information·leak·and·should·be·disabled | 550 | the·web·server.·This·may·constitute·an·unnecessary·information·leak·and·should·be·disabled |
| 552 | unless·necessary.·To·do·so,·comment·out·the·related·module: | 551 | unless·necessary.·To·do·so,·comment·out·the·related·module: |
| 553 | <pre>#LoadModule·status_module·modules/mod_status.so</pre> | 552 | <pre>#LoadModule·status_module·modules/mod_status.so</pre> |
| 554 | If·there·is·a·critical·need·for·this·module,·ensure·that·access·to·the·status | 553 | If·there·is·a·critical·need·for·this·module,·ensure·that·access·to·the·status |
| 555 | page·is·properly·restricted·to·a·limited·set·of·hosts·in·the·status·handler | 554 | page·is·properly·restricted·to·a·limited·set·of·hosts·in·the·status·handler |
| 556 | configuration.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 555 | configuration.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| Offset 562, 21 lines modified | Offset 561, 22 lines modified | ||
| 562 | can·create·an·unnecessary·security·leak·and·should·be·disabled. | 561 | can·create·an·unnecessary·security·leak·and·should·be·disabled. |
| 563 | If·its·functionality·is·unnecessary,·comment·out·the·module: | 562 | If·its·functionality·is·unnecessary,·comment·out·the·module: |
| 564 | <pre>#LoadModule·info_module·modules/mod_info.so</pre> | 563 | <pre>#LoadModule·info_module·modules/mod_info.so</pre> |
| 565 | If·there·is·a·critical·need·for·this·module,·use·the·<code>Location</code>·directive·to·provide | 564 | If·there·is·a·critical·need·for·this·module,·use·the·<code>Location</code>·directive·to·provide |
| 566 | an·access·control·list·to·restrict·access·to·the·information.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 565 | an·access·control·list·to·restrict·access·to·the·information.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 567 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 566 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 568 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 567 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 569 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27507-3">CCE-27507-3</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_ | 568 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27507-3">CCE-27507-3</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_url_correction"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_url_correction"·id="guide-tree-leaf-idm29462"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_url_correction">Disable·URL·Correction·on·Misspelled·Entries |
| 570 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_ | 569 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_url_correction">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>speling</code>·module·attempts·to·find·a·document·match·by·allowing·one·misspelling·in·an |
| 571 | If·this·functionality·is·unnecessary,·comment·out·th | 570 | otherwise·failed·request.·If·this·functionality·is·unnecessary,·comment·out·the·module: |
| 572 | <pre>#LoadModule· | 571 | <pre>#LoadModule·speling_module·modules/mod_speling.so</pre> |
| 572 | This·functionality·weakens·server·security·by·making·site·enumeration·easier.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | ||
| 573 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 573 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 574 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 574 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 575 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27 | 575 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27276-5">CCE-27276-5</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_mime_magic"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_mime_magic"·id="guide-tree-leaf-idm29469"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_mime_magic">Disable·MIME·Magic |
| 576 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_mime_magic">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>mime_magic</code>·module·provides·a·second·layer·of·MIME·support·that·in·most·configurations | 576 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_mime_magic">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>mime_magic</code>·module·provides·a·second·layer·of·MIME·support·that·in·most·configurations |
| 577 | is·likely·extraneous.·If·its·functionality·is·unnecessary,·comment·out·the·related·module: | 577 | is·likely·extraneous.·If·its·functionality·is·unnecessary,·comment·out·the·related·module: |
| 578 | <pre>#LoadModule·mime_magic_module·modules/mod_mime_magic.so</pre></p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 578 | <pre>#LoadModule·mime_magic_module·modules/mod_mime_magic.so</pre></p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 579 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 579 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 580 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 580 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 581 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27541-2">CCE-27541-2</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_webdav"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_webdav"·id="guide-tree-leaf-idm29476"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_webdav">Disable·WebDAV·(Distributed·Authoring·and·Versioning) | 581 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27541-2">CCE-27541-2</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_webdav"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_webdav"·id="guide-tree-leaf-idm29476"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_webdav">Disable·WebDAV·(Distributed·Authoring·and·Versioning) |
| 582 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_webdav">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>WebDAV·is·an·extension·of·the·HTTP·protocol·that·provides·distributed·and | 582 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_webdav">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>WebDAV·is·an·extension·of·the·HTTP·protocol·that·provides·distributed·and |
| Offset 627, 110 lines modified | Offset 627, 15 lines modified | ||
| 627 | If·proxy·support·is·needed,·load·<code>mod_proxy</code>·and·the·appropriate·proxy·protocol·handler | 627 | If·proxy·support·is·needed,·load·<code>mod_proxy</code>·and·the·appropriate·proxy·protocol·handler |
| 628 | module·(one·of·<code>mod_proxy_http</code>,·<code>mod_proxy_ftp</code>,·or·<code>mod_proxy_connect</code>).·Additionally, | 628 | module·(one·of·<code>mod_proxy_http</code>,·<code>mod_proxy_ftp</code>,·or·<code>mod_proxy_connect</code>).·Additionally, |
| 629 | make·certain·that·a·server·is·secure·before·enabling·proxying,·as·open·proxy·servers | 629 | make·certain·that·a·server·is·secure·before·enabling·proxying,·as·open·proxy·servers |
| 630 | are·a·security·risk.·<code>mod_proxy_balancer</code>·enables·load·balancing,·but·requires·that | 630 | are·a·security·risk.·<code>mod_proxy_balancer</code>·enables·load·balancing,·but·requires·that |
| 631 | <code>mod·status</code>·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 631 | <code>mod·status</code>·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 632 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 632 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 633 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 633 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 634 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27442-3">CCE-27442-3</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 634 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27442-3">CCE-27442-3</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 635 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 636 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 637 | parameters·from·a·server. | ||
| 638 | <br><br> | ||
| 639 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 640 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 641 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 642 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 643 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 644 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 645 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 646 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 647 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29631"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 648 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 649 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 650 | following·changes: | ||
| 651 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 652 | <pre>BOOTPROTO=none</pre> | ||
| 653 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| Max diff block lines reached; 2682041/2733007 bytes (98.14%) of diff not shown. | |||
| Offset 53, 15 lines modified | Offset 53, 15 lines modified | ||
| 53 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 53 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 54 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 54 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 55 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 55 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 56 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 56 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 57 | quality,·reliability,·or·any·other·characteristic. | 57 | quality,·reliability,·or·any·other·characteristic. |
| 58 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 58 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 59 | ····························(as·of·2018-07-26) | 59 | ····························(as·of·2018-07-26) |
| 60 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 60 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.conte[·...·truncated·by·diffoscope;·len:·622,·SHA1:·5fdea4aa41595454218b51257d3604d966d4890a·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 61 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 61 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 62 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 62 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 63 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 63 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 64 | ones·can·be·safely·disabled. | 64 | ones·can·be·safely·disabled. |
| 65 | <br><br> | 65 | <br><br> |
| 66 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 66 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 67 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 67 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 318, 261 lines modified | Offset 318, 15 lines modified | ||
| 318 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29258"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory | 318 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29258"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory |
| 319 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: | 319 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: |
| 320 | <pre>$·sudo·chmod·700·/var/log/httpd/</pre> | 320 | <pre>$·sudo·chmod·700·/var/log/httpd/</pre> |
| 321 | This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker | 321 | This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker |
| 322 | to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 322 | to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 323 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 323 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 324 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27150-2">CCE-27150-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 324 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27150-2">CCE-27150-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 325 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 325 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 326 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 327 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 328 | parameters·from·a·server. | ||
| 329 | <br><br> | ||
| 330 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 331 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 332 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 333 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 334 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 335 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 336 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 337 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 338 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29631"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 339 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 340 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 341 | following·changes: | ||
| 342 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 343 | <pre>BOOTPROTO=none</pre> | ||
| 344 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 345 | values·based·on·your·site's·addressing·scheme: | ||
| 346 | <pre>NETMASK=255.255.255.0 | ||
| 347 | IPADDR=192.168.1.2 | ||
| 348 | GATEWAY=192.168.1.1</pre> | ||
| 349 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 350 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 351 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 352 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 353 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 354 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27021-5">CCE-27021-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 355 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000292</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dhcp_server_configuration">Disable·DHCP·Server | ||
| 356 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp_server_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·must·act·as·a·DHCP·server,·the·configuration | ||
| 357 | information·it·serves·should·be·minimized.·Also,·support·for·other·protocols | ||
| 358 | and·DNS-updating·schemes·should·be·explicitly·disabled·unless·needed.·The | ||
| 359 | configuration·file·for·dhcpd·is·called·<code>/etc/dhcp/dhcpd.conf</code>.·The·file | ||
| 360 | begins·with·a·number·of·global·configuration·options.·The·remainder·of·the·file | ||
| 361 | is·divided·into·sections,·one·for·each·block·of·addresses·offered·by·dhcpd, | ||
| 362 | each·of·which·contains·configuration·options·specific·to·that·address | ||
| 363 | block.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline"·id="guide-tree-leaf-idm29656"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline">Deny·Decline·Messages | ||
| 364 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·<code>/etc/dhcp/dhcpd.conf</code>·and·add·or·correct·the·following | ||
| 365 | global·option·to·prevent·the·DHCP·server·from·responding·the·DHCPDECLINE | ||
| 366 | messages,·if·possible:·<pre>deny·declines;</pre></p><span·class="label·label-primary">Rationale:</span><p>The·DHCPDECLINE·message·can·be·sent·by·a·DHCP·client·to·indicate | ||
| 367 | that·it·does·not·consider·the·lease·offered·by·the·server·to·be·valid.·By | ||
| 368 | issuing·many·DHCPDECLINE·messages,·a·malicious·client·can·exhaust·the·DHCP | ||
| 369 | server's·pool·of·IP·addresses,·causing·the·DHCP·server·to·forget·old·address | ||
| 370 | allocations.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 371 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 372 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27106-4">CCE-27106-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 373 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns"·id="guide-tree-leaf-idm29666"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns">Do·Not·Use·Dynamic·DNS | ||
| 374 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·prevent·the·DHCP·server·from·receiving·DNS·information·from | ||
| 375 | clients,·edit·<code>/etc/dhcp/dhcpd.conf</code>,·and·add·or·correct·the·following·global | ||
| 376 | option:·<pre>ddns-update-style·none;</pre></p><span·class="label·label-primary">Rationale:</span><p>The·Dynamic·DNS·protocol·is·used·to·remotely·update·the·data·served | ||
| 377 | by·a·DNS·server.·DHCP·servers·can·use·Dynamic·DNS·to·publish·information·about | ||
| 378 | their·clients.·This·setup·carries·security·risks,·and·its·use·is·not | ||
| 379 | recommended.··If·Dynamic·DNS·must·be·used·despite·the·risks·it·poses,·it·is | ||
| 380 | critical·that·Dynamic·DNS·transactions·be·protected·using·TSIG·or·some·other | ||
| 381 | cryptographic·authentication·mechanism.·See·dhcpd.conf(5)·for·more·information | ||
| 382 | about·protecting·the·DHCP·server·from·passing·along·malicious·DNS·data·from·its | ||
| 383 | clients.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 384 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 385 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27049-6">CCE-27049-6</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 386 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp"·id="guide-tree-leaf-idm29684"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp">Deny·BOOTP·Queries | ||
| 387 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unless·your·network·needs·to·support·older·BOOTP·clients,·disable | ||
| 388 | support·for·the·bootp·protocol·by·adding·or·correcting·the·global·option: | ||
| 389 | <pre>deny·bootp;</pre></p><span·class="label·label-primary">Rationale:</span><p>The·bootp·option·tells·dhcpd·to·respond·to·BOOTP·queries.·If·support | ||
| 390 | for·this·simpler·protocol·is·not·needed,·it·should·be·disabled·to·remove·attack | ||
| 391 | vectors·against·the·DHCP·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 392 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 393 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27077-7">CCE-27077-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 394 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 395 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 396 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 397 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 398 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29707"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 399 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 400 | the·dhcp·package·can·be·uninstalled. | ||
| 401 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 402 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 403 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 404 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 405 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27120-5">CCE-27120-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 406 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29716">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29716"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 407 | # | ||
| 408 | #·Example·Call(s): | ||
| 409 | # | ||
| 410 | #·····package_remove·telnet-server | ||
| 411 | # | ||
| 412 | function·package_remove·{ | ||
| 413 | #·Load·function·arguments·into·local·variables | ||
| 414 | local·package="$1" | ||
| 415 | #·Check·sanity·of·the·input | ||
| 416 | if·[·$#·-ne·"1"·] | ||
| 417 | then | ||
| 418 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 419 | ··echo·"Aborting." | ||
| 420 | ··exit·1 | ||
| 421 | fi | ||
| 422 | if·which·dnf·;·then | ||
| 423 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 424 | ····dnf·remove·-y·"$package" | ||
| Max diff block lines reached; 1905037/1939876 bytes (98.20%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_im[·...·truncated·by·diffoscope;·len:·1152,·SHA1:·dd5cc62f3a273462962f45a6acbfc2a35644bcb6·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| Offset 307, 45 lines modified | Offset 307, 15 lines modified | ||
| 307 | to·different·identity·and·authentication·providers·such·as·Red·Hat's·IdM,·Microsoft's·AD, | 307 | to·different·identity·and·authentication·providers·such·as·Red·Hat's·IdM,·Microsoft's·AD, |
| 308 | openLDAP,·MIT·Kerberos,·etc.·It·uses·a·common·framework·that·can·provide·caching·and·offline | 308 | openLDAP,·MIT·Kerberos,·etc.·It·uses·a·common·framework·that·can·provide·caching·and·offline |
| 309 | support·to·systems·utilizing·SSSD.·SSSD·using·caching·to·reduce·load·on·authentication | 309 | support·to·systems·utilizing·SSSD.·SSSD·using·caching·to·reduce·load·on·authentication |
| 310 | servers·permit·offline·authentication·as·well·as·store·extended·user·data. | 310 | servers·permit·offline·authentication·as·well·as·store·extended·user·data. |
| 311 | <br><br> | 311 | <br><br> |
| 312 | For·more·information,·see | 312 | For·more·information,·see |
| 313 | <b><a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html</a></b> | 313 | <b><a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html</a></b> |
| 314 | </p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sssd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 314 | </p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sssd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 315 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 316 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 317 | parameters·from·a·server. | ||
| 318 | <br><br> | ||
| 319 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 320 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 321 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 322 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 323 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 324 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 325 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 326 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 327 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dhcp_server_configuration">Disable·DHCP·Server | ||
| 328 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp_server_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·must·act·as·a·DHCP·server,·the·configuration | ||
| 329 | information·it·serves·should·be·minimized.·Also,·support·for·other·protocols | ||
| 330 | and·DNS-updating·schemes·should·be·explicitly·disabled·unless·needed.·The | ||
| 331 | configuration·file·for·dhcpd·is·called·<code>/etc/dhcp/dhcpd.conf</code>.·The·file | ||
| 332 | begins·with·a·number·of·global·configuration·options.·The·remainder·of·the·file | ||
| 333 | is·divided·into·sections,·one·for·each·block·of·addresses·offered·by·dhcpd, | ||
| 334 | each·of·which·contains·configuration·options·specific·to·that·address | ||
| 335 | block.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 336 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 337 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 338 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 339 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp_client_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_client_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dhcp_client_configuration">Configure·DHCP·Client·if·Necessary | ||
| 340 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp_client_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·DHCP·must·be·used,·then·certain·configuration·changes·can | ||
| 341 | minimize·the·amount·of·information·it·receives·and·applies·from·the·network, | ||
| 342 | and·thus·the·amount·of·incorrect·information·a·rogue·DHCP·server·could | ||
| 343 | successfully·distribute.··For·more·information·on·configuring·dhclient,·see·the | ||
| 344 | <code>dhclient(8)</code>·and·<code>dhclient.conf(5)</code>·man·pages.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 345 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 315 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 346 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 316 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 347 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 317 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 348 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 318 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 349 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 319 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 350 | outside·world. | 320 | outside·world. |
| 351 | <br><br> | 321 | <br><br> |
| Offset 393, 42 lines modified | Offset 363, 15 lines modified | ||
| 393 | installation.·The·multiple·security·models·implemented·by·SNMP·cannot·be·fully | 363 | installation.·The·multiple·security·models·implemented·by·SNMP·cannot·be·fully |
| 394 | covered·here·so·only·the·following·general·configuration·advice·can·be·offered: | 364 | covered·here·so·only·the·following·general·configuration·advice·can·be·offered: |
| 395 | <ul><li>use·only·SNMP·version·3·security·models·and·enable·the·use·of·authentication·and·encryption</li><li>write·access·to·the·MIB·(Management·Information·Base)·should·be·allowed·only·if·necessary</li><li>all·access·to·the·MIB·should·be·restricted·following·a·principle·of·least·privilege</li><li>network·access·should·be·limited·to·the·maximum·extent·possible·including·restricting·to·expected·network | 365 | <ul><li>use·only·SNMP·version·3·security·models·and·enable·the·use·of·authentication·and·encryption</li><li>write·access·to·the·MIB·(Management·Information·Base)·should·be·allowed·only·if·necessary</li><li>all·access·to·the·MIB·should·be·restricted·following·a·principle·of·least·privilege</li><li>network·access·should·be·limited·to·the·maximum·extent·possible·including·restricting·to·expected·network |
| 396 | addresses·both·in·the·configuration·files·and·in·the·system·firewall·rules</li><li>ensure·SNMP·agents·send·traps·only·to,·and·accept·SNMP·queries·only·from,·authorized·management | 366 | addresses·both·in·the·configuration·files·and·in·the·system·firewall·rules</li><li>ensure·SNMP·agents·send·traps·only·to,·and·accept·SNMP·queries·only·from,·authorized·management |
| 397 | stations</li><li>ensure·that·permissions·on·the·<code>snmpd.conf</code>·configuration·file·(by·default,·in·<code>/etc/snmp</code>)·are·640·or·more·restrictive</li><li>ensure·that·any·MIB·files'·permissions·are·also·640·or·more·restrictive</li></ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_snmp_configure_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_snmp_service"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_snmp_service">Disable·SNMP·Server·if·Possible | 367 | stations</li><li>ensure·that·permissions·on·the·<code>snmpd.conf</code>·configuration·file·(by·default,·in·<code>/etc/snmp</code>)·are·640·or·more·restrictive</li><li>ensure·that·any·MIB·files'·permissions·are·also·640·or·more·restrictive</li></ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_snmp_configure_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_snmp_service"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_snmp_service">Disable·SNMP·Server·if·Possible |
| 398 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_snmp_service">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·system·includes·an·SNMP·daemon·that·allows·for·its·remote | 368 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_snmp_service">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·system·includes·an·SNMP·daemon·that·allows·for·its·remote |
| 399 | monitoring,·though·it·not·installed·by·default.·If·it·was·installed·and | 369 | monitoring,·though·it·not·installed·by·default.·If·it·was·installed·and |
| 400 | activated·but·is·not·needed,·the·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 370 | activated·but·is·not·needed,·the·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 401 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 402 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 403 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 404 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 405 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_restrict_at_cron_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_restrict_at_cron_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_restrict_at_cron_users">Restrict·at·and·cron·to·Authorized·Users·if·Necessary | ||
| 406 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_restrict_at_cron_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>/etc/cron.allow</code>·and·<code>/etc/at.allow</code>·files·contain·lists·of·users·who·are·allowed | ||
| 407 | to·use·cron·and·at·to·delay·execution·of·processes.·If·these·files·exist·and | ||
| 408 | if·the·corresponding·files·<code>/etc/cron.deny</code>·and·<code>/etc/at.deny</code>·do·not·exist, | ||
| 409 | then·only·users·listed·in·the·relevant·allow·files·can·run·the·crontab·and·at | ||
| 410 | commands·to·submit·jobs·to·be·run·at·scheduled·intervals. | ||
| 411 | On·many·systems,·only·the·system·administrator·needs·the·ability·to·schedule | ||
| 412 | jobs.·Note·that·even·if·a·given·user·is·not·listed·in·<code>cron.allow</code>,·cron·jobs·can | ||
| 413 | still·be·run·as·that·user.·The·<code>cron.allow</code>·file·controls·only·administrative·access | ||
| 414 | to·the·crontab·command·for·scheduling·and·modifying·cron·jobs. | ||
| 415 | <br> | ||
| 416 | <br> | ||
| 417 | To·restrict·at·and·cron·to·only·authorized·users: | ||
| 418 | <ul><li>Remove·the·cron.deny·file:<pre>$·sudo·rm·/etc/cron.deny</pre></li><li>Edit·<code>/etc/cron.allow</code>,·adding·one·line·for·each·user·allowed·to·use·the·crontab·command·to·create·cron·jobs.</li><li>Remove·the·<code>at.deny</code>·file:<pre>$·sudo·rm·/etc/at.deny</pre></li><li>Edit·<code>/etc/at.allow</code>,·adding·one·line·for·each·user·allowed·to·use·the·at·command·to·create·at·jobs.</li></ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_restrict_at_cron_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_xwindows"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_xwindows">X·Window·System | ||
| 419 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_xwindows">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·X·Window·System·implementation·included·with·the | ||
| 420 | system·is·called·X.org.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_xwindows"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_xwindows"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_xwindows">Disable·X·Windows | ||
| 421 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_xwindows">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Unless·there·is·a·mission-critical·reason·for·the | ||
| 422 | system·to·run·a·graphical·user·interface,·ensure·X·is·not·set·to·start | ||
| 423 | automatically·at·boot·and·remove·the·X·Windows·software·packages. | ||
| 424 | There·is·usually·no·reason·to·run·X·Windows | ||
| 425 | on·a·dedicated·server·system,·as·it·increases·the·system's·attack·surface·and·consumes | ||
| 426 | system·resources.·Administrators·of·server·systems·should·instead·login·via | ||
| 427 | SSH·or·on·the·text·console.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_xwindows"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services | ||
| 428 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible | 371 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible |
| 429 | services·which·have·historically·caused·problems·for·system | 372 | services·which·have·historically·caused·problems·for·system |
| 430 | security,·and·for·which·disabling·or·severely·limiting·the·service | 373 | security,·and·for·which·disabling·or·severely·limiting·the·service |
| 431 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of | 374 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of |
| 432 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·6 | 375 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·6 |
| 433 | by·default. | 376 | by·default. |
| 434 | <br><br> | 377 | <br><br> |
| Offset 462, 138 lines modified | Offset 405, 128 lines modified | ||
| 462 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 405 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 463 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 406 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 464 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 407 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 465 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 408 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 466 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 409 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 467 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·6.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services | 410 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·6.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services |
| 468 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages | 411 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages |
| 469 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 412 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ldap">LDAP |
| 470 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 413 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>LDAP·is·a·popular·directory·service,·that·is,·a |
| 471 | 414 | standardized·way·of·looking·up·information·from·a·central·database. | |
| 472 | 415 | Red·Hat·Enterprise·Linux·6·includes·software·that·enables·a·system·to·act·as·both | |
| 473 | and·then·detail | 416 | an·LDAP·client·and·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openldap_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openldap_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ldap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_openldap_server">Configure·OpenLDAP·Server |
| 474 | 417 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openldap_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·details·some·security-relevant·settings | |
| 475 | 418 | for·an·OpenLDAP·server.··Installation·and·configuration·of·OpenLDAP·on·Red·Hat·Enterprise·Linux·6·is·available·at: | |
| 476 | 419 | <a·href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openldap_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ldap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openldap_server"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files">Install·and·Protect·LDAP·Certificate·Files | |
| 477 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 420 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Create·the·PKI·directory·for·LDAP·certificates·if·it·does·not·already·exist: |
| 478 | 421 | <pre>$·sudo·mkdir·/etc/pki/tls/ldap | |
| 479 | 422 | $·sudo·chown·root:root·/etc/pki/tls/ldap | |
| 480 | 423 | $·sudo·chmod·755·/etc/pki/tls/ldap</pre> | |
| 481 | 424 | Using·removable·media·or·some·other·secure·transmission·format,·install·the·certificate·files | |
| 482 | 425 | onto·the·LDAP·server: | |
| 483 | 426 | <ul><li><code>/etc/pki/tls/ldap/serverkey.pem</code>:·the·private·key·<code>ldapserverkey.pem</code></li><li><code>/etc/pki/tls/ldap/servercert.pem</code>:·the·certificate·file·<code>ldapservercert.pem</code></li></ul> | |
| Max diff block lines reached; 167027/225188 bytes (74.17%) of diff not shown. | |||
| Offset 49, 15 lines modified | Offset 49, 15 lines modified | ||
| 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 53 | quality,·reliability,·or·any·other·characteristic. | 53 | quality,·reliability,·or·any·other·characteristic. |
| 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 55 | ····························(as·of·2018-07-26) | 55 | ····························(as·of·2018-07-26) |
| 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·887,·SHA1:·65d32b80d8d9fc9390e2f6a61646977453fe2c7d·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 428, 200 lines modified | Offset 428, 14 lines modified | ||
| 428 | class·remove_httpd·{ | 428 | class·remove_httpd·{ |
| 429 | ··package·{·'httpd': | 429 | ··package·{·'httpd': |
| 430 | ····ensure·=>·'purged', | 430 | ····ensure·=>·'purged', |
| 431 | ··} | 431 | ··} |
| 432 | } | 432 | } |
| 433 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29170">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29170"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 433 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29170">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29170"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 434 | package·--remove=httpd | 434 | package·--remove=httpd |
| 435 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 436 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 437 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 438 | parameters·from·a·server. | ||
| 439 | <br><br> | ||
| 440 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 441 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 442 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 443 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 444 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 445 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 446 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 447 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 448 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29707"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 449 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 450 | the·dhcp·package·can·be·uninstalled. | ||
| 451 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 452 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 453 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 454 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 455 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27120-5">CCE-27120-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 456 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29716">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29716"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 457 | # | ||
| 458 | #·Example·Call(s): | ||
| 459 | # | ||
| 460 | #·····package_remove·telnet-server | ||
| 461 | # | ||
| 462 | function·package_remove·{ | ||
| 463 | #·Load·function·arguments·into·local·variables | ||
| 464 | local·package="$1" | ||
| 465 | #·Check·sanity·of·the·input | ||
| 466 | if·[·$#·-ne·"1"·] | ||
| 467 | then | ||
| 468 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 469 | ··echo·"Aborting." | ||
| 470 | ··exit·1 | ||
| 471 | fi | ||
| 472 | if·which·dnf·;·then | ||
| 473 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 474 | ····dnf·remove·-y·"$package" | ||
| 475 | ··fi | ||
| 476 | elif·which·yum·;·then | ||
| 477 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 478 | ····yum·remove·-y·"$package" | ||
| 479 | ··fi | ||
| 480 | elif·which·apt-get·;·then | ||
| 481 | ··apt-get·remove·-y·"$package" | ||
| 482 | else | ||
| 483 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 484 | ··echo·"Aborting." | ||
| 485 | ··exit·1 | ||
| 486 | fi | ||
| 487 | } | ||
| 488 | package_remove·dhcp | ||
| 489 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29718">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29718"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 490 | ··package: | ||
| 491 | ····name="{{item}}" | ||
| 492 | ····state=absent | ||
| 493 | ··with_items: | ||
| 494 | ····-·dhcp | ||
| 495 | ··tags: | ||
| 496 | ····-·package_dhcp_removed | ||
| 497 | ····-·medium_severity | ||
| 498 | ····-·disable_strategy | ||
| 499 | ····-·low_complexity | ||
| 500 | ····-·low_disruption | ||
| 501 | ····-·CCE-27120-5 | ||
| 502 | ····-·NIST-800-53-CM-7 | ||
| 503 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29719">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29719"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 504 | class·remove_dhcp·{ | ||
| 505 | ··package·{·'dhcp': | ||
| 506 | ····ensure·=>·'purged', | ||
| 507 | ··} | ||
| 508 | } | ||
| 509 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29720">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29720"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 510 | package·--remove=dhcp | ||
| 511 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·id="guide-tree-leaf-idm29725"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">Disable·DHCP·Service | ||
| 512 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>dhcpd</code>·service·should·be·disabled·on | ||
| 513 | any·system·that·does·not·need·to·act·as·a·DHCP·server. | ||
| 514 | ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: | ||
| 515 | ········<pre>$·sudo·chkconfig·dhcpd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>Unmanaged·or·unintentionally·activated·DHCP·servers·may·provide·faulty·information | ||
| 516 | to·clients,·interfering·with·the·operation·of·a·legitimate·site | ||
| 517 | DHCP·server·if·there·is·one.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 518 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 519 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27074-4">CCE-27074-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 520 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29735">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29735"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 521 | # | ||
| 522 | #·Example·Call(s): | ||
| 523 | # | ||
| 524 | #·····service_command·enable·bluetooth | ||
| 525 | #·····service_command·disable·bluetooth.service | ||
| 526 | # | ||
| 527 | #·····Using·xinetd: | ||
| 528 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 529 | # | ||
| 530 | function·service_command·{ | ||
| Max diff block lines reached; 1962744/1984546 bytes (98.90%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·81,·SHA1:·41be5defbc9b88735c60d3c6378434afc19f29f2·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 83, 15 lines modified | Offset 83, 15 lines modified | ||
| 83 | <br><br> | 83 | <br><br> |
| 84 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 84 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 85 | servers,·and·the·remainder·obtaining·time·information·from·those | 85 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 86 | internal·servers. | 86 | internal·servers. |
| 87 | <br><br> | 87 | <br><br> |
| 88 | More·information·on·how·to·configure·the·NTP·server·software, | 88 | More·information·on·how·to·configure·the·NTP·server·software, |
| 89 | including·configuration·of·cryptographic·authentication·for | 89 | including·configuration·of·cryptographic·authentication·for |
| 90 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 90 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29634"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 92 | ·········· | 92 | ·········· |
| 93 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 93 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 94 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 94 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 95 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 95 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 96 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 96 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 97 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 97 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 101, 15 lines modified | Offset 101, 15 lines modified | ||
| 101 | logs·and·auditing·possible·security·breaches.·· | 101 | logs·and·auditing·possible·security·breaches.·· |
| 102 | <br><br> | 102 | <br><br> |
| 103 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 103 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 104 | deprecated.··Additional·information·on·this·is·available·at· | 104 | deprecated.··Additional·information·on·this·is·available·at· |
| 105 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 105 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 106 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 106 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 107 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 107 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 108 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 108 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29653">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29653"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 109 | # | 109 | # |
| 110 | #·Example·Call(s): | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····service_command·enable·bluetooth | 112 | #·····service_command·enable·bluetooth |
| 113 | #·····service_command·disable·bluetooth.service | 113 | #·····service_command·disable·bluetooth.service |
| 114 | # | 114 | # |
| 115 | #·····Using·xinetd: | 115 | #·····Using·xinetd: |
| Offset 177, 15 lines modified | Offset 177, 15 lines modified | ||
| 177 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 177 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 178 | ··fi | 178 | ··fi |
| 179 | fi | 179 | fi |
| 180 | } | 180 | } |
| 181 | service_command·enable·ntpd | 181 | service_command·enable·ntpd |
| 182 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 182 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29655">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29655"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 183 | ··service: | 183 | ··service: |
| 184 | ····name="{{item}}" | 184 | ····name="{{item}}" |
| 185 | ····enabled="yes" | 185 | ····enabled="yes" |
| 186 | ····state="started" | 186 | ····state="started" |
| 187 | ··with_items: | 187 | ··with_items: |
| 188 | ····-·ntpd | 188 | ····-·ntpd |
| 189 | ··tags: | 189 | ··tags: |
| Offset 194, 252 lines modified | Offset 194, 37 lines modified | ||
| 194 | ····-·enable_strategy | 194 | ····-·enable_strategy |
| 195 | ····-·low_complexity | 195 | ····-·low_complexity |
| 196 | ····-·low_disruption | 196 | ····-·low_disruption |
| 197 | ····-·CCE-27093-4 | 197 | ····-·CCE-27093-4 |
| 198 | ····-·NIST-800-53-AU-8(1) | 198 | ····-·NIST-800-53-AU-8(1) |
| 199 | ····-·PCI-DSS-Req-10.4 | 199 | ····-·PCI-DSS-Req-10.4 |
| 200 | ····-·DISA-STIG-RHEL-06-000247 | 200 | ····-·DISA-STIG-RHEL-06-000247 |
| 201 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_ | 201 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29660"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | ||
| 203 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | ||
| 204 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | ||
| 205 | <em>ntpserver</em>: | ||
| 206 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | ||
| 207 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | ||
| 208 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | ||
| 209 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 210 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 211 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26958-9">CCE-26958-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 212 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29814"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server | ||
| 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 214 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 203 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 215 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 204 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 216 | <pre>server·<i>ntpserver</i></pre> | 205 | <pre>server·<i>ntpserver</i></pre> |
| 217 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 206 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 218 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 207 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 219 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 208 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 220 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 209 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 221 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 210 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 222 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 211 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 223 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_ | 212 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29680"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 224 | ···················· | 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization |
| 225 | 214 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | |
| 226 | 215 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | |
| 227 | 216 | <em>ntpserver</em>: | |
| 228 | 217 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | |
| 229 | 218 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | |
| 230 | 219 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | |
| 231 | 220 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 232 | ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command: | ||
| 233 | ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks, | ||
| 234 | enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 235 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 236 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27070-2">CCE-27070-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 237 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000224</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm30013">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30013"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 238 | # | ||
| 239 | #·Example·Call(s): | ||
| 240 | # | ||
| 241 | #·····service_command·enable·bluetooth | ||
| 242 | #·····service_command·disable·bluetooth.service | ||
| 243 | # | ||
| 244 | #·····Using·xinetd: | ||
| 245 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 246 | # | ||
| 247 | function·service_command·{ | ||
| 248 | #·Load·function·arguments·into·local·variables | ||
| 249 | local·service_state=$1 | ||
| 250 | local·service=$2 | ||
| 251 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 252 | #·Check·sanity·of·the·input | ||
| 253 | if·[·$#·-lt·"2"·] | ||
| Max diff block lines reached; 2128886/2158262 bytes (98.64%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><[·...·truncated·by·diffoscope;·len:·661,·SHA1:·0654191da42b7edd25844a8803051c26453d234e·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 80, 45 lines modified | Offset 80, 45 lines modified | ||
| 80 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than | 80 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than |
| 81 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: | 81 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: |
| 82 | <pre>local_enable=NO</pre> | 82 | <pre>local_enable=NO</pre> |
| 83 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure | 83 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure |
| 84 | these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 84 | these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 85 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 85 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 86 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27115-5">CCE-27115-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 86 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27115-5">CCE-27115-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 87 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_ | 87 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29014"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users |
| 88 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 89 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 90 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 91 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 92 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 93 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·id="guide-tree-leaf-idm29029"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads">Disable·FTP·Uploads·if·Possible | ||
| 94 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, | ||
| 95 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | ||
| 96 | <pre>write_enable=NO</pre> | ||
| 97 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | ||
| 98 | as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less | ||
| 99 | common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it | ||
| 100 | is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 101 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 102 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27117-1">CCE-27117-1</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_home_partition"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_home_partition"·id="guide-tree-leaf-idm29037"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_home_partition">Place·the·FTP·Home·Directory·on·its·Own·Partition | ||
| 88 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can | 103 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can |
| 89 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent | 104 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent |
| 90 | these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 105 | these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 91 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 106 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 92 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27411-8">CCE-27411-8</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm290 | 107 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27411-8">CCE-27411-8</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions |
| 93 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | 108 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> |
| 94 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | 109 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: |
| 95 | <pre>xferlog_enable=YES | 110 | <pre>xferlog_enable=YES |
| 96 | xferlog_std_format=NO | 111 | xferlog_std_format=NO |
| 97 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | 112 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to |
| 98 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | 113 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log |
| 99 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 114 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 100 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 115 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 101 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 116 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 102 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_r | 117 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 103 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, | ||
| 104 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | ||
| 105 | <pre>write_enable=NO</pre> | ||
| 106 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | ||
| 107 | as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less | ||
| 108 | common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it | ||
| 109 | is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 110 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 111 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27117-1">CCE-27117-1</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 112 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 113 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 114 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 115 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 116 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 117 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 118 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and | 118 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and |
| 119 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29061"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package | 119 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29061"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package |
| 120 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. | 120 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. |
| 121 | <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security | 121 | <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security |
| 122 | and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 122 | and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 123 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 123 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 124 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27187-4">CCE-27187-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 124 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27187-4">CCE-27187-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| Offset 179, 45 lines modified | Offset 179, 15 lines modified | ||
| 179 | class·install_vsftpd·{ | 179 | class·install_vsftpd·{ |
| 180 | ··package·{·'vsftpd': | 180 | ··package·{·'vsftpd': |
| 181 | ····ensure·=>·'installed', | 181 | ····ensure·=>·'installed', |
| 182 | ··} | 182 | ··} |
| 183 | } | 183 | } |
| 184 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29073">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29073"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> | 184 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29073">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29073"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> |
| 185 | package·--add=vsftpd | 185 | package·--add=vsftpd |
| 186 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 186 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 187 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 188 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 189 | parameters·from·a·server. | ||
| 190 | <br><br> | ||
| 191 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 192 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 193 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 194 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 195 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 196 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 197 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 198 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 199 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29631"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 200 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 201 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 202 | following·changes: | ||
| 203 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 204 | <pre>BOOTPROTO=none</pre> | ||
| 205 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 206 | values·based·on·your·site's·addressing·scheme: | ||
| 207 | <pre>NETMASK=255.255.255.0 | ||
| 208 | IPADDR=192.168.1.2 | ||
| 209 | GATEWAY=192.168.1.1</pre> | ||
| 210 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 211 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 212 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 213 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 214 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 215 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27021-5">CCE-27021-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 216 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000292</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 217 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 187 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 218 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 188 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 219 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 189 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 220 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 190 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 221 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 191 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 222 | outside·world. | 192 | outside·world. |
| 223 | <br><br> | 193 | <br><br> |
| Offset 236, 15 lines modified | Offset 206, 15 lines modified | ||
| 236 | <br><br> | 206 | <br><br> |
| 237 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 207 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 238 | servers,·and·the·remainder·obtaining·time·information·from·those | 208 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 239 | internal·servers. | 209 | internal·servers. |
| Max diff block lines reached; 2038065/2071068 bytes (98.41%) of diff not shown. | |||
| Offset 53, 15 lines modified | Offset 53, 15 lines modified | ||
| 53 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 53 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 54 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 54 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 55 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 55 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 56 | quality,·reliability,·or·any·other·characteristic. | 56 | quality,·reliability,·or·any·other·characteristic. |
| 57 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· | 57 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· |
| 58 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 58 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 59 | ····························(as·of·2018-07-26) | 59 | ····························(as·of·2018-07-26) |
| 60 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 60 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#x[·...·truncated·by·diffoscope;·len:·732,·SHA1:·2219f187bb27e11bbb6b7ed4731606f600bfb059·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 61 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 61 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 62 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 62 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 63 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 63 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 64 | ones·can·be·safely·disabled. | 64 | ones·can·be·safely·disabled. |
| 65 | <br><br> | 65 | <br><br> |
| 66 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 66 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 67 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 67 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 328, 221 lines modified | Offset 328, 14 lines modified | ||
| 328 | class·remove_httpd·{ | 328 | class·remove_httpd·{ |
| 329 | ··package·{·'httpd': | 329 | ··package·{·'httpd': |
| 330 | ····ensure·=>·'purged', | 330 | ····ensure·=>·'purged', |
| 331 | ··} | 331 | ··} |
| 332 | } | 332 | } |
| 333 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29170">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29170"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 333 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29170">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29170"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 334 | package·--remove=httpd | 334 | package·--remove=httpd |
| 335 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 336 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 337 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 338 | parameters·from·a·server. | ||
| 339 | <br><br> | ||
| 340 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 341 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 342 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 343 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 344 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 345 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 346 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 347 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 348 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29631"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 349 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 350 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 351 | following·changes: | ||
| 352 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 353 | <pre>BOOTPROTO=none</pre> | ||
| 354 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 355 | values·based·on·your·site's·addressing·scheme: | ||
| 356 | <pre>NETMASK=255.255.255.0 | ||
| 357 | IPADDR=192.168.1.2 | ||
| 358 | GATEWAY=192.168.1.1</pre> | ||
| 359 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 360 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 361 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 362 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 363 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 364 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27021-5">CCE-27021-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 365 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000292</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 366 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 367 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 368 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 369 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29707"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 370 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 371 | the·dhcp·package·can·be·uninstalled. | ||
| 372 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 373 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 374 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 375 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 376 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27120-5">CCE-27120-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 377 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29716">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29716"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 378 | # | ||
| 379 | #·Example·Call(s): | ||
| 380 | # | ||
| 381 | #·····package_remove·telnet-server | ||
| 382 | # | ||
| 383 | function·package_remove·{ | ||
| 384 | #·Load·function·arguments·into·local·variables | ||
| 385 | local·package="$1" | ||
| 386 | #·Check·sanity·of·the·input | ||
| 387 | if·[·$#·-ne·"1"·] | ||
| 388 | then | ||
| 389 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 390 | ··echo·"Aborting." | ||
| 391 | ··exit·1 | ||
| 392 | fi | ||
| 393 | if·which·dnf·;·then | ||
| 394 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 395 | ····dnf·remove·-y·"$package" | ||
| 396 | ··fi | ||
| 397 | elif·which·yum·;·then | ||
| 398 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 399 | ····yum·remove·-y·"$package" | ||
| 400 | ··fi | ||
| 401 | elif·which·apt-get·;·then | ||
| 402 | ··apt-get·remove·-y·"$package" | ||
| 403 | else | ||
| 404 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 405 | ··echo·"Aborting." | ||
| 406 | ··exit·1 | ||
| 407 | fi | ||
| 408 | } | ||
| 409 | package_remove·dhcp | ||
| 410 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29718">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29718"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 411 | ··package: | ||
| 412 | ····name="{{item}}" | ||
| 413 | ····state=absent | ||
| 414 | ··with_items: | ||
| 415 | ····-·dhcp | ||
| 416 | ··tags: | ||
| 417 | ····-·package_dhcp_removed | ||
| 418 | ····-·medium_severity | ||
| 419 | ····-·disable_strategy | ||
| 420 | ····-·low_complexity | ||
| 421 | ····-·low_disruption | ||
| 422 | ····-·CCE-27120-5 | ||
| 423 | ····-·NIST-800-53-CM-7 | ||
| 424 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29719">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29719"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 425 | class·remove_dhcp·{ | ||
| 426 | ··package·{·'dhcp': | ||
| 427 | ····ensure·=>·'purged', | ||
| 428 | ··} | ||
| 429 | } | ||
| 430 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29720">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29720"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 431 | package·--remove=dhcp | ||
| Max diff block lines reached; 2405991/2431172 bytes (98.96%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 83, 15 lines modified | Offset 83, 15 lines modified | ||
| 83 | <br><br> | 83 | <br><br> |
| 84 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 84 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 85 | servers,·and·the·remainder·obtaining·time·information·from·those | 85 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 86 | internal·servers. | 86 | internal·servers. |
| 87 | <br><br> | 87 | <br><br> |
| 88 | More·information·on·how·to·configure·the·NTP·server·software, | 88 | More·information·on·how·to·configure·the·NTP·server·software, |
| 89 | including·configuration·of·cryptographic·authentication·for | 89 | including·configuration·of·cryptographic·authentication·for |
| 90 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 90 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29634"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 92 | ·········· | 92 | ·········· |
| 93 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 93 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 94 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 94 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 95 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 95 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 96 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 96 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 97 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 97 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 101, 15 lines modified | Offset 101, 15 lines modified | ||
| 101 | logs·and·auditing·possible·security·breaches.·· | 101 | logs·and·auditing·possible·security·breaches.·· |
| 102 | <br><br> | 102 | <br><br> |
| 103 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 103 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 104 | deprecated.··Additional·information·on·this·is·available·at· | 104 | deprecated.··Additional·information·on·this·is·available·at· |
| 105 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 105 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 106 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 106 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 107 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 107 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 108 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 108 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29653">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29653"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 109 | # | 109 | # |
| 110 | #·Example·Call(s): | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····service_command·enable·bluetooth | 112 | #·····service_command·enable·bluetooth |
| 113 | #·····service_command·disable·bluetooth.service | 113 | #·····service_command·disable·bluetooth.service |
| 114 | # | 114 | # |
| 115 | #·····Using·xinetd: | 115 | #·····Using·xinetd: |
| Offset 177, 15 lines modified | Offset 177, 15 lines modified | ||
| 177 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 177 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 178 | ··fi | 178 | ··fi |
| 179 | fi | 179 | fi |
| 180 | } | 180 | } |
| 181 | service_command·enable·ntpd | 181 | service_command·enable·ntpd |
| 182 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 182 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29655">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29655"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 183 | ··service: | 183 | ··service: |
| 184 | ····name="{{item}}" | 184 | ····name="{{item}}" |
| 185 | ····enabled="yes" | 185 | ····enabled="yes" |
| 186 | ····state="started" | 186 | ····state="started" |
| 187 | ··with_items: | 187 | ··with_items: |
| 188 | ····-·ntpd | 188 | ····-·ntpd |
| 189 | ··tags: | 189 | ··tags: |
| Offset 194, 50 lines modified | Offset 194, 50 lines modified | ||
| 194 | ····-·enable_strategy | 194 | ····-·enable_strategy |
| 195 | ····-·low_complexity | 195 | ····-·low_complexity |
| 196 | ····-·low_disruption | 196 | ····-·low_disruption |
| 197 | ····-·CCE-27093-4 | 197 | ····-·CCE-27093-4 |
| 198 | ····-·NIST-800-53-AU-8(1) | 198 | ····-·NIST-800-53-AU-8(1) |
| 199 | ····-·PCI-DSS-Req-10.4 | 199 | ····-·PCI-DSS-Req-10.4 |
| 200 | ····-·DISA-STIG-RHEL-06-000247 | 200 | ····-·DISA-STIG-RHEL-06-000247 |
| 201 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_ | 201 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29660"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | ||
| 203 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | ||
| 204 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | ||
| 205 | <em>ntpserver</em>: | ||
| 206 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | ||
| 207 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | ||
| 208 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | ||
| 209 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 210 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 211 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26958-9">CCE-26958-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 212 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29814"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server | ||
| 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 214 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 203 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 215 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 204 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 216 | <pre>server·<i>ntpserver</i></pre> | 205 | <pre>server·<i>ntpserver</i></pre> |
| 217 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 206 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 218 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 207 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 219 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 208 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 220 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 209 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 221 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 210 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 222 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 211 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 223 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_ | 212 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29680"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | ||
| 214 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | ||
| 215 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | ||
| 216 | <em>ntpserver</em>: | ||
| 217 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | ||
| 218 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | ||
| 219 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | ||
| 220 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 221 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 222 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26958-9">CCE-26958-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 223 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ssh">SSH·Server | ||
| 224 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·SSH·protocol·is·recommended·for·remote·login·and | 224 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·SSH·protocol·is·recommended·for·remote·login·and |
| 225 | remote·file·transfer.·SSH·provides·confidentiality·and·integrity | 225 | remote·file·transfer.·SSH·provides·confidentiality·and·integrity |
| 226 | for·data·exchanged·between·two·systems,·as·well·as·server | 226 | for·data·exchanged·between·two·systems,·as·well·as·server |
| 227 | authentication,·through·the·use·of·public·key·cryptography.·The | 227 | authentication,·through·the·use·of·public·key·cryptography.·The |
| 228 | implementation·included·with·the·system·is·called·OpenSSH,·and·more | 228 | implementation·included·with·the·system·is·called·OpenSSH,·and·more |
| 229 | detailed·documentation·is·available·from·its·website, | 229 | detailed·documentation·is·available·from·its·website, |
| 230 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and | 230 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and |
| 231 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 231 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 232 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 232 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 233 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 233 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 234 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 234 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 235 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 235 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 236 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm3 | 236 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm32018"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 237 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout | 237 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 238 | interval. | 238 | interval. |
| 239 | After·this·interval·has·passed,·the·idle·user·will·be | 239 | After·this·interval·has·passed,·the·idle·user·will·be |
| 240 | automatically·logged·out. | 240 | automatically·logged·out. |
| 241 | <br><br> | 241 | <br><br> |
| 242 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 242 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 243 | follows: | 243 | follows: |
| Offset 249, 23 lines modified | Offset 249, 23 lines modified | ||
| 249 | shell,·that·value·will·preempt·any·SSH | 249 | shell,·that·value·will·preempt·any·SSH |
| Max diff block lines reached; 924129/949133 bytes (97.37%) of diff not shown. | |||
| Offset 48, 136 lines modified | Offset 48, 23 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 65 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 66 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 67 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 68 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm30020"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd) | ||
| 69 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to | ||
| 70 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed | ||
| 71 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not | ||
| 72 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via | ||
| 73 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. | ||
| 74 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: | ||
| 75 | ········<pre>$·sudo·chkconfig·atd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry | ||
| 76 | out·activities·outside·of·a·normal·login·session,·which·could·complicate | ||
| 77 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or | ||
| 78 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 79 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 80 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27249-2">CCE-27249-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 81 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000262</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50442r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm30040">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30040"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 82 | # | ||
| 83 | #·Example·Call(s): | ||
| 84 | # | ||
| 85 | #·····service_command·enable·bluetooth | ||
| 86 | #·····service_command·disable·bluetooth.service | ||
| 87 | # | ||
| 88 | #·····Using·xinetd: | ||
| 89 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 90 | # | ||
| 91 | function·service_command·{ | ||
| 92 | #·Load·function·arguments·into·local·variables | ||
| 93 | local·service_state=$1 | ||
| 94 | local·service=$2 | ||
| 95 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 96 | #·Check·sanity·of·the·input | ||
| 97 | if·[·$#·-lt·"2"·] | ||
| 98 | then | ||
| 99 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 100 | ··echo | ||
| 101 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 102 | ··echo·"as·the·last·argument"·· | ||
| 103 | ··echo·"Aborting." | ||
| 104 | ··exit·1 | ||
| 105 | fi | ||
| 106 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 107 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 108 | ··service_util="/usr/bin/systemctl" | ||
| 109 | else | ||
| 110 | ··service_util="/sbin/service" | ||
| 111 | ··chkconfig_util="/sbin/chkconfig" | ||
| 112 | fi | ||
| 113 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 114 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 115 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 116 | ··service_state="enable" | ||
| 117 | ··service_operation="start" | ||
| 118 | ··chkconfig_state="on" | ||
| 119 | else | ||
| 120 | ··service_state="disable" | ||
| 121 | ··service_operation="stop" | ||
| 122 | ··chkconfig_state="off" | ||
| 123 | fi | ||
| 124 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 125 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 126 | ··$service_util·$service·$service_operation | ||
| 127 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 128 | else | ||
| 129 | ··$service_util·$service_operation·$service | ||
| 130 | ··$service_util·$service_state·$service | ||
| 131 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 132 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 133 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 134 | ··$service_util·reset-failed·$service | ||
| 135 | fi | ||
| 136 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 137 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 138 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 139 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 140 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 141 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 142 | ··else | ||
| 143 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 144 | ··fi | ||
| 145 | fi | ||
| 146 | } | ||
| 147 | service_command·disable·atd | ||
| 148 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm30042">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30042"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd | ||
| 149 | ··service: | ||
| 150 | ····name="{{item}}" | ||
| 151 | ····enabled="no" | ||
| 152 | ····state="stopped" | ||
| 153 | ··register:·service_result | ||
| 154 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 155 | ··with_items: | ||
| 156 | ····-·atd | ||
| 157 | ··tags: | ||
| 158 | ····-·service_atd_disabled | ||
| 159 | ····-·unknown_severity | ||
| 160 | ····-·disable_strategy | ||
| 161 | ····-·low_complexity | ||
| 162 | ····-·low_disruption | ||
| 163 | ····-·CCE-27249-2 | ||
| 164 | ····-·NIST-800-53-CM-7 | ||
| Max diff block lines reached; 647591/662396 bytes (97.76%) of diff not shown. | |||
| Offset 49, 53 lines modified | Offset 49, 23 lines modified | ||
| 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 53 | quality,·reliability,·or·any·other·characteristic. | 53 | quality,·reliability,·or·any·other·characteristic. |
| 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 55 | ····························(as·of·2018-07-26) | 55 | ····························(as·of·2018-07-26) |
| 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><[·...·truncated·by·diffoscope;·len:·661,·SHA1:·0654191da42b7edd25844a8803051c26453d234e·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 66 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 67 | parameters·from·a·server. | ||
| 68 | <br><br> | ||
| 69 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 70 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 71 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 72 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 73 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 75 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 76 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 77 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29631"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 78 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 79 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 80 | following·changes: | ||
| 81 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 82 | <pre>BOOTPROTO=none</pre> | ||
| 83 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 84 | values·based·on·your·site's·addressing·scheme: | ||
| 85 | <pre>NETMASK=255.255.255.0 | ||
| 86 | IPADDR=192.168.1.2 | ||
| 87 | GATEWAY=192.168.1.1</pre> | ||
| 88 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 89 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 90 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 91 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 92 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 93 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27021-5">CCE-27021-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 94 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000292</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 95 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 96 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 66 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 97 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 67 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 98 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 68 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 99 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 69 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 100 | outside·world. | 70 | outside·world. |
| 101 | <br><br> | 71 | <br><br> |
| Offset 114, 15 lines modified | Offset 84, 15 lines modified | ||
| 114 | <br><br> | 84 | <br><br> |
| 115 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 85 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 116 | servers,·and·the·remainder·obtaining·time·information·from·those | 86 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 117 | internal·servers. | 87 | internal·servers. |
| 118 | <br><br> | 88 | <br><br> |
| 119 | More·information·on·how·to·configure·the·NTP·server·software, | 89 | More·information·on·how·to·configure·the·NTP·server·software, |
| 120 | including·configuration·of·cryptographic·authentication·for | 90 | including·configuration·of·cryptographic·authentication·for |
| 121 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 91 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29634"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 122 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 123 | ·········· | 93 | ·········· |
| 124 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 94 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 125 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 95 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 126 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 96 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 127 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 97 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 128 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 98 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 132, 15 lines modified | Offset 102, 15 lines modified | ||
| 132 | logs·and·auditing·possible·security·breaches.·· | 102 | logs·and·auditing·possible·security·breaches.·· |
| 133 | <br><br> | 103 | <br><br> |
| 134 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 104 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 135 | deprecated.··Additional·information·on·this·is·available·at· | 105 | deprecated.··Additional·information·on·this·is·available·at· |
| 136 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 106 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 137 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 107 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 138 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 108 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 139 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 109 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29653">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29653"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 140 | # | 110 | # |
| 141 | #·Example·Call(s): | 111 | #·Example·Call(s): |
| 142 | # | 112 | # |
| 143 | #·····service_command·enable·bluetooth | 113 | #·····service_command·enable·bluetooth |
| 144 | #·····service_command·disable·bluetooth.service | 114 | #·····service_command·disable·bluetooth.service |
| 145 | # | 115 | # |
| 146 | #·····Using·xinetd: | 116 | #·····Using·xinetd: |
| Offset 208, 15 lines modified | Offset 178, 15 lines modified | ||
| 208 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 178 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 209 | ··fi | 179 | ··fi |
| 210 | fi | 180 | fi |
| 211 | } | 181 | } |
| 212 | service_command·enable·ntpd | 182 | service_command·enable·ntpd |
| 213 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 183 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29655">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29655"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 214 | ··service: | 184 | ··service: |
| 215 | ····name="{{item}}" | 185 | ····name="{{item}}" |
| 216 | ····enabled="yes" | 186 | ····enabled="yes" |
| 217 | ····state="started" | 187 | ····state="started" |
| 218 | ··with_items: | 188 | ··with_items: |
| 219 | ····-·ntpd | 189 | ····-·ntpd |
| 220 | ··tags: | 190 | ··tags: |
| Offset 225, 325 lines modified | Offset 195, 26 lines modified | ||
| 225 | ····-·enable_strategy | 195 | ····-·enable_strategy |
| 226 | ····-·low_complexity | 196 | ····-·low_complexity |
| 227 | ····-·low_disruption | 197 | ····-·low_disruption |
| 228 | ····-·CCE-27093-4 | 198 | ····-·CCE-27093-4 |
| 229 | ····-·NIST-800-53-AU-8(1) | 199 | ····-·NIST-800-53-AU-8(1) |
| 230 | ····-·PCI-DSS-Req-10.4 | 200 | ····-·PCI-DSS-Req-10.4 |
| 231 | ····-·DISA-STIG-RHEL-06-000247 | 201 | ····-·DISA-STIG-RHEL-06-000247 |
| 232 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29 | 202 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29660"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 233 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 203 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 234 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 204 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 235 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 205 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 236 | <pre>server·<i>ntpserver</i></pre> | 206 | <pre>server·<i>ntpserver</i></pre> |
| 237 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 207 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 238 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 208 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 239 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 209 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 240 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 210 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 241 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 211 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 242 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 212 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 243 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 213 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 244 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 245 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 246 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 247 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 248 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm30001"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service | ||
| 249 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at | ||
| Max diff block lines reached; 2004037/2052283 bytes (97.65%) of diff not shown. | |||
| Offset 50, 15 lines modified | Offset 50, 15 lines modified | ||
| 50 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 50 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 51 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 51 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 52 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 52 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 53 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 53 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 54 | quality,·reliability,·or·any·other·characteristic. | 54 | quality,·reliability,·or·any·other·characteristic. |
| 55 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 55 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 56 | ····························(as·of·2018-07-26) | 56 | ····························(as·of·2018-07-26) |
| 57 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 57 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.[·...·truncated·by·diffoscope;·len:·426,·SHA1:·272d3d702e27eb16cc11a094bca0fa13fa0b2249·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 58 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 58 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 59 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 59 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 60 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 60 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 61 | ones·can·be·safely·disabled. | 61 | ones·can·be·safely·disabled. |
| 62 | <br><br> | 62 | <br><br> |
| 63 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 63 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 64 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 64 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 85, 15 lines modified | Offset 85, 15 lines modified | ||
| 85 | <br><br> | 85 | <br><br> |
| 86 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 86 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 87 | servers,·and·the·remainder·obtaining·time·information·from·those | 87 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 88 | internal·servers. | 88 | internal·servers. |
| 89 | <br><br> | 89 | <br><br> |
| 90 | More·information·on·how·to·configure·the·NTP·server·software, | 90 | More·information·on·how·to·configure·the·NTP·server·software, |
| 91 | including·configuration·of·cryptographic·authentication·for | 91 | including·configuration·of·cryptographic·authentication·for |
| 92 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 92 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29634"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 93 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 93 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 94 | ·········· | 94 | ·········· |
| 95 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 95 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 96 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 96 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 97 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 97 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 98 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 98 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 99 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 99 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 103, 15 lines modified | Offset 103, 15 lines modified | ||
| 103 | logs·and·auditing·possible·security·breaches.·· | 103 | logs·and·auditing·possible·security·breaches.·· |
| 104 | <br><br> | 104 | <br><br> |
| 105 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 105 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 106 | deprecated.··Additional·information·on·this·is·available·at· | 106 | deprecated.··Additional·information·on·this·is·available·at· |
| 107 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 107 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 108 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 108 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 109 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 109 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29653">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29653"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 111 | # | 111 | # |
| 112 | #·Example·Call(s): | 112 | #·Example·Call(s): |
| 113 | # | 113 | # |
| 114 | #·····service_command·enable·bluetooth | 114 | #·····service_command·enable·bluetooth |
| 115 | #·····service_command·disable·bluetooth.service | 115 | #·····service_command·disable·bluetooth.service |
| 116 | # | 116 | # |
| 117 | #·····Using·xinetd: | 117 | #·····Using·xinetd: |
| Offset 179, 15 lines modified | Offset 179, 15 lines modified | ||
| 179 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 179 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 180 | ··fi | 180 | ··fi |
| 181 | fi | 181 | fi |
| 182 | } | 182 | } |
| 183 | service_command·enable·ntpd | 183 | service_command·enable·ntpd |
| 184 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 184 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29655">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29655"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 185 | ··service: | 185 | ··service: |
| 186 | ····name="{{item}}" | 186 | ····name="{{item}}" |
| 187 | ····enabled="yes" | 187 | ····enabled="yes" |
| 188 | ····state="started" | 188 | ····state="started" |
| 189 | ··with_items: | 189 | ··with_items: |
| 190 | ····-·ntpd | 190 | ····-·ntpd |
| 191 | ··tags: | 191 | ··tags: |
| Offset 196, 241 lines modified | Offset 196, 26 lines modified | ||
| 196 | ····-·enable_strategy | 196 | ····-·enable_strategy |
| 197 | ····-·low_complexity | 197 | ····-·low_complexity |
| 198 | ····-·low_disruption | 198 | ····-·low_disruption |
| 199 | ····-·CCE-27093-4 | 199 | ····-·CCE-27093-4 |
| 200 | ····-·NIST-800-53-AU-8(1) | 200 | ····-·NIST-800-53-AU-8(1) |
| 201 | ····-·PCI-DSS-Req-10.4 | 201 | ····-·PCI-DSS-Req-10.4 |
| 202 | ····-·DISA-STIG-RHEL-06-000247 | 202 | ····-·DISA-STIG-RHEL-06-000247 |
| 203 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29 | 203 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29660"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 204 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 204 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 205 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 205 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 206 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 206 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 207 | <pre>server·<i>ntpserver</i></pre> | 207 | <pre>server·<i>ntpserver</i></pre> |
| 208 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 208 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 209 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 209 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 210 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 210 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 211 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 211 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 212 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 212 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 213 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 213 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 214 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 214 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 215 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 216 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 217 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 218 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 219 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm30001"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service | ||
| 220 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at | ||
| 221 | preconfigured·times.·It·is·required·by·almost·all·systems·to·perform·necessary | ||
| 222 | maintenance·tasks,·such·as·notifying·root·of·system·activity. | ||
| 223 | ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command: | ||
| 224 | ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks, | ||
| 225 | enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 226 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 227 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27070-2">CCE-27070-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 228 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000224</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm30013">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30013"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 229 | # | ||
| 230 | #·Example·Call(s): | ||
| 231 | # | ||
| 232 | #·····service_command·enable·bluetooth | ||
| 233 | #·····service_command·disable·bluetooth.service | ||
| 234 | # | ||
| 235 | #·····Using·xinetd: | ||
| 236 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 237 | # | ||
| 238 | function·service_command·{ | ||
| 239 | #·Load·function·arguments·into·local·variables | ||
| 240 | local·service_state=$1 | ||
| 241 | local·service=$2 | ||
| 242 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 243 | #·Check·sanity·of·the·input | ||
| 244 | if·[·$#·-lt·"2"·] | ||
| 245 | then | ||
| 246 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 247 | ··echo | ||
| 248 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 249 | ··echo·"as·the·last·argument"·· | ||
| 250 | ··echo·"Aborting." | ||
| 251 | ··exit·1 | ||
| 252 | fi | ||
| 253 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 254 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| Max diff block lines reached; 1977976/2009812 bytes (98.42%) of diff not shown. | |||
| Offset 55, 15 lines modified | Offset 55, 15 lines modified | ||
| 55 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 55 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 56 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 56 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 57 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 57 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 58 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 58 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 59 | quality,·reliability,·or·any·other·characteristic. | 59 | quality,·reliability,·or·any·other·characteristic. |
| 60 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 60 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 61 | ····························(as·of·2018-07-26) | 61 | ····························(as·of·2018-07-26) |
| 62 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 62 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href[·...·truncated·by·diffoscope;·len:·837,·SHA1:·9eb0d8fb27d69580f55a433ff04eb02c23276d4a·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 63 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 63 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 64 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 64 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 65 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 65 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 66 | ones·can·be·safely·disabled. | 66 | ones·can·be·safely·disabled. |
| 67 | <br><br> | 67 | <br><br> |
| 68 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 68 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 69 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 69 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 76, 61 lines modified | Offset 76, 31 lines modified | ||
| 76 | <br><br> | 76 | <br><br> |
| 77 | However,·there·are·some·FTP·server·configurations·which·may | 77 | However,·there·are·some·FTP·server·configurations·which·may |
| 78 | be·appropriate·for·some·environments,·particularly·those·which | 78 | be·appropriate·for·some·environments,·particularly·those·which |
| 79 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | 79 | allow·only·read-only·anonymous·access·as·a·means·of·downloading |
| 80 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | 80 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 82 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | 82 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or |
| 83 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_ | 83 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29014"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users |
| 84 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 85 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 86 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 87 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 88 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 89 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 84 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | 90 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> |
| 85 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | 91 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: |
| 86 | <pre>xferlog_enable=YES | 92 | <pre>xferlog_enable=YES |
| 87 | xferlog_std_format=NO | 93 | xferlog_std_format=NO |
| 88 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | 94 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to |
| 89 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | 95 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log |
| 90 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 96 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 91 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 92 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 93 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_ | 99 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 94 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 95 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 96 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 97 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 99 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 100 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 101 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 102 | parameters·from·a·server. | ||
| 103 | <br><br> | ||
| 104 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 105 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 106 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 107 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 108 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 109 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 110 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 111 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 112 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29631"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 113 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 114 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 115 | following·changes: | ||
| 116 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 117 | <pre>BOOTPROTO=none</pre> | ||
| 118 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 119 | values·based·on·your·site's·addressing·scheme: | ||
| 120 | <pre>NETMASK=255.255.255.0 | ||
| 121 | IPADDR=192.168.1.2 | ||
| 122 | GATEWAY=192.168.1.1</pre> | ||
| 123 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 124 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 125 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 126 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 127 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 128 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27021-5">CCE-27021-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 129 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000292</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 130 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 100 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 131 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 101 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 132 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 102 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 133 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 103 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 134 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 104 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 135 | outside·world. | 105 | outside·world. |
| 136 | <br><br> | 106 | <br><br> |
| Offset 149, 15 lines modified | Offset 119, 15 lines modified | ||
| 149 | <br><br> | 119 | <br><br> |
| 150 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 120 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 151 | servers,·and·the·remainder·obtaining·time·information·from·those | 121 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 152 | internal·servers. | 122 | internal·servers. |
| 153 | <br><br> | 123 | <br><br> |
| 154 | More·information·on·how·to·configure·the·NTP·server·software, | 124 | More·information·on·how·to·configure·the·NTP·server·software, |
| 155 | including·configuration·of·cryptographic·authentication·for | 125 | including·configuration·of·cryptographic·authentication·for |
| 156 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 126 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29634"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 157 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 158 | ·········· | 128 | ·········· |
| 159 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 129 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 160 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 130 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 161 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 131 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 162 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 132 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 163 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 133 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 167, 15 lines modified | Offset 137, 15 lines modified | ||
| 167 | logs·and·auditing·possible·security·breaches.·· | 137 | logs·and·auditing·possible·security·breaches.·· |
| 168 | <br><br> | 138 | <br><br> |
| 169 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 139 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 170 | deprecated.··Additional·information·on·this·is·available·at· | 140 | deprecated.··Additional·information·on·this·is·available·at· |
| 171 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 141 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 172 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 142 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 173 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 143 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 174 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 144 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29653">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29653"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 175 | # | 145 | # |
| 176 | #·Example·Call(s): | 146 | #·Example·Call(s): |
| 177 | # | 147 | # |
| 178 | #·····service_command·enable·bluetooth | 148 | #·····service_command·enable·bluetooth |
| 179 | #·····service_command·disable·bluetooth.service | 149 | #·····service_command·disable·bluetooth.service |
| 180 | # | 150 | # |
| 181 | #·····Using·xinetd: | 151 | #·····Using·xinetd: |
| Offset 243, 15 lines modified | Offset 213, 15 lines modified | ||
| 243 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 213 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 244 | ··fi | 214 | ··fi |
| 245 | fi | 215 | fi |
| 246 | } | 216 | } |
| 247 | service_command·enable·ntpd | 217 | service_command·enable·ntpd |
| 248 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 218 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29655">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29655"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 249 | ··service: | 219 | ··service: |
| 250 | ····name="{{item}}" | 220 | ····name="{{item}}" |
| 251 | ····enabled="yes" | 221 | ····enabled="yes" |
| Max diff block lines reached; 2835411/2865155 bytes (98.96%) of diff not shown. | |||
| Offset 49, 15 lines modified | Offset 49, 15 lines modified | ||
| 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 53 | quality,·reliability,·or·any·other·characteristic. | 53 | quality,·reliability,·or·any·other·characteristic. |
| 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 55 | ····························(as·of·2018-07-26) | 55 | ····························(as·of·2018-07-26) |
| 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·988,·SHA1:·72fb730629963fd35d8a9f3a941a3c4bb087dd81·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 428, 200 lines modified | Offset 428, 14 lines modified | ||
| 428 | class·remove_httpd·{ | 428 | class·remove_httpd·{ |
| 429 | ··package·{·'httpd': | 429 | ··package·{·'httpd': |
| 430 | ····ensure·=>·'purged', | 430 | ····ensure·=>·'purged', |
| 431 | ··} | 431 | ··} |
| 432 | } | 432 | } |
| 433 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29170">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29170"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 433 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29170">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29170"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 434 | package·--remove=httpd | 434 | package·--remove=httpd |
| 435 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 436 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 437 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 438 | parameters·from·a·server. | ||
| 439 | <br><br> | ||
| 440 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 441 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 442 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 443 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 444 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 445 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 446 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 447 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 448 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29707"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 449 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 450 | the·dhcp·package·can·be·uninstalled. | ||
| 451 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 452 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 453 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 454 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 455 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27120-5">CCE-27120-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 456 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29716">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29716"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 457 | # | ||
| 458 | #·Example·Call(s): | ||
| 459 | # | ||
| 460 | #·····package_remove·telnet-server | ||
| 461 | # | ||
| 462 | function·package_remove·{ | ||
| 463 | #·Load·function·arguments·into·local·variables | ||
| 464 | local·package="$1" | ||
| 465 | #·Check·sanity·of·the·input | ||
| 466 | if·[·$#·-ne·"1"·] | ||
| 467 | then | ||
| 468 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 469 | ··echo·"Aborting." | ||
| 470 | ··exit·1 | ||
| 471 | fi | ||
| 472 | if·which·dnf·;·then | ||
| 473 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 474 | ····dnf·remove·-y·"$package" | ||
| 475 | ··fi | ||
| 476 | elif·which·yum·;·then | ||
| 477 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 478 | ····yum·remove·-y·"$package" | ||
| 479 | ··fi | ||
| 480 | elif·which·apt-get·;·then | ||
| 481 | ··apt-get·remove·-y·"$package" | ||
| 482 | else | ||
| 483 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 484 | ··echo·"Aborting." | ||
| 485 | ··exit·1 | ||
| 486 | fi | ||
| 487 | } | ||
| 488 | package_remove·dhcp | ||
| 489 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29718">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29718"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 490 | ··package: | ||
| 491 | ····name="{{item}}" | ||
| 492 | ····state=absent | ||
| 493 | ··with_items: | ||
| 494 | ····-·dhcp | ||
| 495 | ··tags: | ||
| 496 | ····-·package_dhcp_removed | ||
| 497 | ····-·medium_severity | ||
| 498 | ····-·disable_strategy | ||
| 499 | ····-·low_complexity | ||
| 500 | ····-·low_disruption | ||
| 501 | ····-·CCE-27120-5 | ||
| 502 | ····-·NIST-800-53-CM-7 | ||
| 503 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29719">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29719"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 504 | class·remove_dhcp·{ | ||
| 505 | ··package·{·'dhcp': | ||
| 506 | ····ensure·=>·'purged', | ||
| 507 | ··} | ||
| 508 | } | ||
| 509 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29720">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29720"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 510 | package·--remove=dhcp | ||
| 511 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·id="guide-tree-leaf-idm29725"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">Disable·DHCP·Service | ||
| 512 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>dhcpd</code>·service·should·be·disabled·on | ||
| 513 | any·system·that·does·not·need·to·act·as·a·DHCP·server. | ||
| 514 | ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: | ||
| 515 | ········<pre>$·sudo·chkconfig·dhcpd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>Unmanaged·or·unintentionally·activated·DHCP·servers·may·provide·faulty·information | ||
| 516 | to·clients,·interfering·with·the·operation·of·a·legitimate·site | ||
| 517 | DHCP·server·if·there·is·one.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 518 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 519 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27074-4">CCE-27074-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 520 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29735">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29735"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 521 | # | ||
| 522 | #·Example·Call(s): | ||
| 523 | # | ||
| 524 | #·····service_command·enable·bluetooth | ||
| 525 | #·····service_command·disable·bluetooth.service | ||
| 526 | # | ||
| 527 | #·····Using·xinetd: | ||
| 528 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 529 | # | ||
| 530 | function·service_command·{ | ||
| Max diff block lines reached; 2153407/2175461 bytes (98.99%) of diff not shown. | |||
| Offset 1345, 37 lines modified | Offset 1345, 30 lines modified | ||
| 1345 | ····-·medium_disruption | 1345 | ····-·medium_disruption |
| 1346 | ····-·CCE-80111-8 | 1346 | ····-·CCE-80111-8 |
| 1347 | ····-·NIST-800-53-AC-11(a) | 1347 | ····-·NIST-800-53-AC-11(a) |
| 1348 | ····-·NIST-800-171-3.1.10 | 1348 | ····-·NIST-800-171-3.1.10 |
| 1349 | ····-·PCI-DSS-Req-8.1.8 | 1349 | ····-·PCI-DSS-Req-8.1.8 |
| 1350 | ····-·CJIS-5.5.5 | 1350 | ····-·CJIS-5.5.5 |
| 1351 | ····-·DISA-STIG-RHEL-07-010100 | 1351 | ····-·DISA-STIG-RHEL-07-010100 |
| 1352 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_ | 1352 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank"·id="guide-tree-leaf-idm95666"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.1.8"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank">Implement·Blank·Screensaver |
| 1353 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_ | 1353 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·screensaver·mode·in·the·GNOME3·desktop·to·a·blank·screen, |
| 1354 | 1354 | add·or·set·<code>picture-uri</code>·to·<code>string·''</code>·in | |
| 1355 | 1355 | <code>/etc/dconf/db/local.d/00-security-settings</code>.·For·example: | |
| 1356 | < | 1356 | <pre>[org/gnome/desktop/screensaver] |
| 1357 | 1357 | picture-uri=string·'' | |
| 1358 | < | 1358 | </pre> |
| 1359 | 1359 | Once·the·settings·have·been·added,·add·a·lock·to | |
| 1360 | idle-delay='uint32·900'</pre> | ||
| 1361 | Once·the·setting·has·been·added,·add·a·lock·to | ||
| 1362 | <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification. | 1360 | <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification. |
| 1363 | For·example: | 1361 | For·example: |
| 1364 | <pre>/org/gnome/desktop/ses | 1362 | <pre>/org/gnome/desktop/screensaver/picture-uri</pre> |
| 1365 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p> | 1363 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p>Setting·the·screensaver·mode·to·blank-only·conceals·the |
| 1366 | t | 1364 | contents·of·the·display·from·passersby.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1367 | te | 1365 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 1368 | s | 1366 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80113-4">CCE-80113-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1369 | a· | 1367 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000060</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm95684">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95684"><pre><code>function·include_dconf_settings·{ |
| 1370 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 1371 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80110-0">CCE-80110-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 1372 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86517r4_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm95714">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95714"><pre><code> | ||
| 1373 | inactivity_timeout_value="<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_inactivity_timeout_value">(N/A)</abbr>" | ||
| 1374 | function·include_dconf_settings·{ | ||
| 1375 | » : | 1368 | » : |
| 1376 | } | 1369 | } |
| 1377 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 1370 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 1378 | # | 1371 | # |
| 1379 | #·Example·Call(s): | 1372 | #·Example·Call(s): |
| 1380 | # | 1373 | # |
| Offset 1442, 76 lines modified | Offset 1435, 75 lines modified | ||
| 1442 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 1435 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 1443 | » fi | 1436 | » fi |
| 1444 | } | 1437 | } |
| 1445 | include_dconf_settings | 1438 | include_dconf_settings |
| 1446 | dconf_settings·'org/gnome/desktop/s | 1439 | dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings' |
| 1447 | dconf_lock·'org/gnome/desktop/ses | 1440 | dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock' |
| 1448 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm95 | 1441 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm95686">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95686"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr></table><pre><code>-·name:·"Implement·Blank·Screensaver" |
| 1449 | ··set_fact: | ||
| 1450 | ····inactivity_timeout_value:·<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_inactivity_timeout_value">(N/A)</abbr> | ||
| 1451 | ··tags: | ||
| 1452 | ····-·always | ||
| 1453 | -·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" | ||
| 1454 | ··ini_file: | 1442 | ··ini_file: |
| 1455 | ····dest:·"/etc/dconf/db/local.d/00-security-settings" | 1443 | ····dest:·"/etc/dconf/db/local.d/00-security-settings" |
| 1456 | ····section:·"org/gnome/desktop/screensaver" | 1444 | ····section:·"org/gnome/desktop/screensaver" |
| 1457 | ····option:·i | 1445 | ····option:·picture-uri |
| 1458 | ····value:· | 1446 | ····value:·string·'' |
| 1459 | ····create:·yes | 1447 | ····create:·yes |
| 1460 | ··tags: | 1448 | ··tags: |
| 1461 | ····-·dconf_gnome_screensaver_ | 1449 | ····-·dconf_gnome_screensaver_mode_blank |
| 1462 | ····-· | 1450 | ····-·unknown_severity |
| 1463 | ····-·unknown_strategy | 1451 | ····-·unknown_strategy |
| 1464 | ····-·low_complexity | 1452 | ····-·low_complexity |
| 1465 | ····-·medium_disruption | 1453 | ····-·medium_disruption |
| 1466 | ····-·CCE-8011 | 1454 | ····-·CCE-80113-4 |
| 1467 | ····-·NIST-800-53-AC-11( | 1455 | ····-·NIST-800-53-AC-11(b) |
| 1468 | ····-·NIST-800-171-3.1.10 | 1456 | ····-·NIST-800-171-3.1.10 |
| 1469 | ····-·PCI-DSS-Req-8.1.8 | 1457 | ····-·PCI-DSS-Req-8.1.8 |
| 1470 | ····-·CJIS-5.5.5 | 1458 | ····-·CJIS-5.5.5 |
| 1471 | ····-·DISA-STIG-RHEL-07-010070 | ||
| 1472 | -·name:·"Prevent·user·modification·of·GNOME·i | 1459 | -·name:·"Prevent·user·modification·of·GNOME·picture-uri" |
| 1473 | ··lineinfile: | 1460 | ··lineinfile: |
| 1474 | ····path:·/etc/dconf/db/local.d/locks/00-security-settings-lock | 1461 | ····path:·/etc/dconf/db/local.d/locks/00-security-settings-lock |
| 1475 | ····regexp:·'^/org/gnome/desktop/screensaver/i | 1462 | ····regexp:·'^/org/gnome/desktop/screensaver/picture-uri' |
| 1476 | ····line:·'/org/gnome/desktop/screensaver/i | 1463 | ····line:·'/org/gnome/desktop/screensaver/picture-uri' |
| 1477 | ····create:·yes | 1464 | ····create:·yes |
| 1478 | ··tags: | 1465 | ··tags: |
| 1479 | ····-·dconf_gnome_screensaver_ | 1466 | ····-·dconf_gnome_screensaver_mode_blank |
| 1480 | ····-· | 1467 | ····-·unknown_severity |
| 1481 | ····-·unknown_strategy | 1468 | ····-·unknown_strategy |
| 1482 | ····-·low_complexity | 1469 | ····-·low_complexity |
| 1483 | ····-·medium_disruption | 1470 | ····-·medium_disruption |
| 1484 | ····-·CCE-8011 | 1471 | ····-·CCE-80113-4 |
| 1485 | ····-·NIST-800-53-AC-11( | 1472 | ····-·NIST-800-53-AC-11(b) |
| 1486 | ····-·NIST-800-171-3.1.10 | 1473 | ····-·NIST-800-171-3.1.10 |
| 1487 | ····-·PCI-DSS-Req-8.1.8 | 1474 | ····-·PCI-DSS-Req-8.1.8 |
| 1488 | ····-·CJIS-5.5.5 | 1475 | ····-·CJIS-5.5.5 |
| 1489 | ····-· | 1476 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay"·id="guide-tree-leaf-idm95691"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.1.8"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay">Set·GNOME3·Screensaver·Inactivity·Timeout |
| 1490 | 1477 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·idle·time-out·value·for·inactivity·in·the·GNOME3·desktop·is·configured·via·the·<code>idle-delay</code> | |
| 1491 | 1478 | setting·must·be·set·under·an·appropriate·configuration·file(s)·in·the·<code>/etc/dconf/db/local.d</code>·directory | |
| 1492 | a | 1479 | and·locked·in·<code>/etc/dconf/db/local.d/locks</code>·directory·to·prevent·user·modification. |
| 1493 | < | 1480 | <br><br> |
| 1494 | 1481 | For·example,·to·configure·the·system·for·a·15·minute·delay,·add·the·following·to | |
| 1495 | 1482 | <code>/etc/dconf/db/local.d/00-security-settings</code>: | |
| 1496 | </p | 1483 | <pre>[org/gnome/desktop/session] |
| 1497 | 1484 | idle-delay='uint32·900'</pre> | |
| 1485 | Once·the·setting·has·been·added,·add·a·lock·to | ||
| 1498 | <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification. | 1486 | <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification. |
| 1499 | For·example: | 1487 | For·example: |
| 1500 | <pre>/org/gnome/desktop/s | 1488 | <pre>/org/gnome/desktop/session/idle-delay</pre> |
| 1501 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p> | 1489 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p>A·session·time-out·lock·is·a·temporary·action·taken·when·a·user·stops·work·and·moves·away·from |
| 1502 | 1490 | the·immediate·physical·vicinity·of·the·information·system·but·does·not·logout·because·of·the | |
| 1503 | 1491 | temporary·nature·of·the·absence.·Rather·than·relying·on·the·user·to·manually·lock·their·operating | |
| 1504 | 1492 | system·session·prior·to·vacating·the·vicinity,·GNOME3·can·be·configured·to·identify·when | |
| 1505 | 1493 | a·user's·session·has·idled·and·take·action·to·initiate·a·session·lock.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 1494 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 1495 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80110-0">CCE-80110-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 1496 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86517r4_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm95715">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95715"><pre><code> | ||
| 1497 | inactivity_timeout_value="<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_inactivity_timeout_value">(N/A)</abbr>" | ||
| 1498 | function·include_dconf_settings·{ | ||
| 1506 | » : | 1499 | » : |
| 1507 | } | 1500 | } |
| 1508 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 1501 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 1509 | # | 1502 | # |
| 1510 | #·Example·Call(s): | 1503 | #·Example·Call(s): |
| 1511 | # | 1504 | # |
| Offset 1578, 52 lines modified | Offset 1570, 60 lines modified | ||
| 1578 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 1570 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 1579 | » fi | 1571 | » fi |
| 1580 | } | 1572 | } |
| 1581 | include_dconf_settings | 1573 | include_dconf_settings |
| Max diff block lines reached; 339432/356902 bytes (95.11%) of diff not shown. | |||
| Offset 201, 103 lines modified | Offset 201, 103 lines modified | ||
| 201 | ····-·low_disruption | 201 | ····-·low_disruption |
| 202 | ····-·CCE-27336-7 | 202 | ····-·CCE-27336-7 |
| 203 | ····-·NIST-800-53-AC-17(8) | 203 | ····-·NIST-800-53-AC-17(8) |
| 204 | ····-·NIST-800-53-CM-7 | 204 | ····-·NIST-800-53-CM-7 |
| 205 | ····-·NIST-800-53-IA-5(1)(c) | 205 | ····-·NIST-800-53-IA-5(1)(c) |
| 206 | ····-·NIST-800-171-3.1.13 | 206 | ····-·NIST-800-171-3.1.13 |
| 207 | ····-·NIST-800-171-3.4.7 | 207 | ····-·NIST-800-171-3.4.7 |
| 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36065"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 210 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 210 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 211 | as·a·systemd·socket,·should·be·disabled. | 211 | as·a·systemd·socket,·should·be·disabled. |
| 212 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 212 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 213 | If·using·systemd,· | 213 | If·using·systemd,· |
| 214 | ········The·<code>r | 214 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 215 | ········<pre>$·sudo·systemctl·disable·r | 215 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 216 | means·that·data·from·the·login·session,·including·passwords·and | 216 | means·that·data·from·the·login·session,·including·passwords·and |
| 217 | all·other·information·transmitted·during·the·session,·can·be | 217 | all·other·information·transmitted·during·the·session,·can·be |
| 218 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 218 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 219 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 219 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 220 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27 | 220 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27337-5">CCE-27337-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 221 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 221 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 222 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 222 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 223 | # | 223 | # |
| 224 | #·Disable·r | 224 | #·Disable·rsh.socket·for·all·systemd·targets |
| 225 | # | 225 | # |
| 226 | systemctl·disable·r | 226 | systemctl·disable·rsh.socket |
| 227 | # | 227 | # |
| 228 | #·Stop·r | 228 | #·Stop·rsh.socket·if·currently·running |
| 229 | # | 229 | # |
| 230 | systemctl·stop·r | 230 | systemctl·stop·rsh.socket |
| 231 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 231 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36092">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36092"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 232 | ··service: | 232 | ··service: |
| 233 | ····name="{{item}}" | 233 | ····name="{{item}}" |
| 234 | ····enabled="no" | 234 | ····enabled="no" |
| 235 | ····state="stopped" | 235 | ····state="stopped" |
| 236 | ··register:·service_result | 236 | ··register:·service_result |
| 237 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 237 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 238 | ··with_items: | 238 | ··with_items: |
| 239 | ····-·r | 239 | ····-·rsh |
| 240 | ··tags: | 240 | ··tags: |
| 241 | ····-·service_r | 241 | ····-·service_rsh_disabled |
| 242 | ····-·high_severity | 242 | ····-·high_severity |
| 243 | ····-·disable_strategy | 243 | ····-·disable_strategy |
| 244 | ····-·low_complexity | 244 | ····-·low_complexity |
| 245 | ····-·low_disruption | 245 | ····-·low_disruption |
| 246 | ····-·CCE-27 | 246 | ····-·CCE-27337-5 |
| 247 | ····-·NIST-800-53-AC-17(8) | 247 | ····-·NIST-800-53-AC-17(8) |
| 248 | ····-·NIST-800-53-CM-7 | 248 | ····-·NIST-800-53-CM-7 |
| 249 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 249 | ····-·NIST-800-171-3.1.13 | 250 | ····-·NIST-800-171-3.1.13 |
| 250 | ····-·NIST-800-171-3.4.7 | 251 | ····-·NIST-800-171-3.4.7 |
| 251 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 252 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36097"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 252 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 253 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 253 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 254 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 254 | as·a·systemd·socket,·should·be·disabled. | 255 | as·a·systemd·socket,·should·be·disabled. |
| 255 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 256 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 256 | If·using·systemd,· | 257 | If·using·systemd,· |
| 257 | ········The·<code>r | 258 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 258 | ········<pre>$·sudo·systemctl·disable·r | 259 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 259 | means·that·data·from·the·login·session,·including·passwords·and | 260 | means·that·data·from·the·login·session,·including·passwords·and |
| 260 | all·other·information·transmitted·during·the·session,·can·be | 261 | all·other·information·transmitted·during·the·session,·can·be |
| 261 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 262 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 262 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 263 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 263 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27 | 264 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 264 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 265 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36122">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36122"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 265 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 266 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 266 | # | 267 | # |
| 267 | #·Disable·r | 268 | #·Disable·rexec.socket·for·all·systemd·targets |
| 268 | # | 269 | # |
| 269 | systemctl·disable·r | 270 | systemctl·disable·rexec.socket |
| 270 | # | 271 | # |
| 271 | #·Stop·r | 272 | #·Stop·rexec.socket·if·currently·running |
| 272 | # | 273 | # |
| 273 | systemctl·stop·r | 274 | systemctl·stop·rexec.socket |
| 274 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 275 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 275 | ··service: | 276 | ··service: |
| 276 | ····name="{{item}}" | 277 | ····name="{{item}}" |
| 277 | ····enabled="no" | 278 | ····enabled="no" |
| 278 | ····state="stopped" | 279 | ····state="stopped" |
| 279 | ··register:·service_result | 280 | ··register:·service_result |
| 280 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 281 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 281 | ··with_items: | 282 | ··with_items: |
| 282 | ····-·r | 283 | ····-·rexec |
| 283 | ··tags: | 284 | ··tags: |
| 284 | ····-·service_r | 285 | ····-·service_rexec_disabled |
| 285 | ····-·high_severity | 286 | ····-·high_severity |
| 286 | ····-·disable_strategy | 287 | ····-·disable_strategy |
| 287 | ····-·low_complexity | 288 | ····-·low_complexity |
| 288 | ····-·low_disruption | 289 | ····-·low_disruption |
| 289 | ····-·CCE-27 | 290 | ····-·CCE-27408-4 |
| 290 | ····-·NIST-800-53-AC-17(8) | 291 | ····-·NIST-800-53-AC-17(8) |
| 291 | ····-·NIST-800-53-CM-7 | 292 | ····-·NIST-800-53-CM-7 |
| 292 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 293 | ····-·NIST-800-171-3.1.13 | 293 | ····-·NIST-800-171-3.1.13 |
| 294 | ····-·NIST-800-171-3.4.7 | 294 | ····-·NIST-800-171-3.4.7 |
| 295 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·id="guide-tree-leaf-idm36164"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files">Remove·Rsh·Trust·Files | 295 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·id="guide-tree-leaf-idm36164"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files">Remove·Rsh·Trust·Files |
| 296 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_rsh_trust_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·files·<code>/etc/hosts.equiv</code>·and·<code>~/.rhosts</code>·(in | 296 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_rsh_trust_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·files·<code>/etc/hosts.equiv</code>·and·<code>~/.rhosts</code>·(in |
| 297 | each·user's·home·directory)·list·remote·hosts·and·users·that·are·trusted·by·the | 297 | each·user's·home·directory)·list·remote·hosts·and·users·that·are·trusted·by·the |
| 298 | local·system·when·using·the·rshd·daemon. | 298 | local·system·when·using·the·rshd·daemon. |
| 299 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | 299 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any |
| Offset 735, 98 lines modified | Offset 735, 26 lines modified | ||
| 735 | ····-·NIST-800-53-AC-17(8) | 735 | ····-·NIST-800-53-AC-17(8) |
| 736 | ····-·NIST-800-53-CM-7 | 736 | ····-·NIST-800-53-CM-7 |
| 737 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 737 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 738 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 738 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 739 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 739 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 740 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 740 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 741 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 741 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 742 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 742 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36467"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 743 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_tcp_wrappers_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>When·network·services·are·using·the·<code>xinetd</code>·service,·the | ||
| 744 | <code>tcp_wrappers</code>·package·should·be·installed. | ||
| 745 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: | ||
| 746 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre></p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture | ||
| 747 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | ||
| 748 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 749 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 750 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27361-5">CCE-27361-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 751 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-TBD</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.4.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36481">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36481"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 752 | # | ||
| 753 | #·Example·Call(s): | ||
| 754 | # | ||
| 755 | #·····package_install·aide | ||
| Max diff block lines reached; 931369/958855 bytes (97.13%) of diff not shown. | |||
| Offset 1224, 15 lines modified | Offset 1224, 15 lines modified | ||
| 1224 | The·following·recommendations·describe·how·to·strengthen·the | 1224 | The·following·recommendations·describe·how·to·strengthen·the |
| 1225 | default·ruleset·configuration·file.·An·alternative·to·editing·this | 1225 | default·ruleset·configuration·file.·An·alternative·to·editing·this |
| 1226 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to | 1226 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to |
| 1227 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> | 1227 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> |
| 1228 | and·<code>/etc/firewalld/zones</code>·directories. | 1228 | and·<code>/etc/firewalld/zones</code>·directories. |
| 1229 | <br><br> | 1229 | <br><br> |
| 1230 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address | 1230 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address |
| 1231 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm41 | 1231 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm41167"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">Set·Default·firewalld·Zone·for·Incoming·Packets |
| 1232 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for | 1232 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for |
| 1233 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, | 1233 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, |
| 1234 | modify·the·following·line·in | 1234 | modify·the·following·line·in |
| 1235 | <code>/etc/firewalld/firewalld.conf</code>·to·be: | 1235 | <code>/etc/firewalld/firewalld.conf</code>·to·be: |
| 1236 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all | 1236 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all |
| 1237 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the | 1237 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the |
| 1238 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. | 1238 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. |
| Offset 1298, 25 lines modified | Offset 1298, 25 lines modified | ||
| 1298 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn | 1298 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn |
| 1299 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind | 1299 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind |
| 1300 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client | 1300 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client |
| 1301 | vnc-server·wbem-https | 1301 | vnc-server·wbem-https |
| 1302 | </pre> | 1302 | </pre> |
| 1303 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld | 1303 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld |
| 1304 | service·reload,·enter·the·following·command·as·root: | 1304 | service·reload,·enter·the·following·command·as·root: |
| 1305 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm41 | 1305 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm41298"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled">Verify·firewalld·Enabled |
| 1306 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 1306 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 1307 | ·············· | 1307 | ·············· |
| 1308 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: | 1308 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: |
| 1309 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> | 1309 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> |
| 1310 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture | 1310 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture |
| 1311 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | 1311 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This |
| 1312 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1312 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1313 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 1313 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 1314 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27361-5">CCE-27361-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1314 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27361-5">CCE-27361-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1315 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040520</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1315 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040520</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41314">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41314"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 1316 | # | 1316 | # |
| 1317 | #·Example·Call(s): | 1317 | #·Example·Call(s): |
| 1318 | # | 1318 | # |
| 1319 | #·····service_command·enable·bluetooth | 1319 | #·····service_command·enable·bluetooth |
| 1320 | #·····service_command·disable·bluetooth.service | 1320 | #·····service_command·disable·bluetooth.service |
| 1321 | # | 1321 | # |
| 1322 | #·····Using·xinetd: | 1322 | #·····Using·xinetd: |
| Offset 1384, 15 lines modified | Offset 1384, 15 lines modified | ||
| 1384 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 1384 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 1385 | ··fi | 1385 | ··fi |
| 1386 | fi | 1386 | fi |
| 1387 | } | 1387 | } |
| 1388 | service_command·enable·firewalld | 1388 | service_command·enable·firewalld |
| 1389 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1389 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41316">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41316"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·firewalld |
| 1390 | ··service: | 1390 | ··service: |
| 1391 | ····name="{{item}}" | 1391 | ····name="{{item}}" |
| 1392 | ····enabled="yes" | 1392 | ····enabled="yes" |
| 1393 | ····state="started" | 1393 | ····state="started" |
| 1394 | ··with_items: | 1394 | ··with_items: |
| 1395 | ····-·firewalld | 1395 | ····-·firewalld |
| 1396 | ··tags: | 1396 | ··tags: |
| Offset 1543, 40 lines modified | Offset 1543, 42 lines modified | ||
| 1543 | ····-·NIST-800-53-AC-4 | 1543 | ····-·NIST-800-53-AC-4 |
| 1544 | ····-·NIST-800-53-CM-7 | 1544 | ····-·NIST-800-53-CM-7 |
| 1545 | ····-·NIST-800-53-SC-5 | 1545 | ····-·NIST-800-53-SC-5 |
| 1546 | ····-·NIST-800-53-SC-7 | 1546 | ····-·NIST-800-53-SC-7 |
| 1547 | ····-·NIST-800-171-3.1.20 | 1547 | ····-·NIST-800-171-3.1.20 |
| 1548 | ····-·CJIS-5.10.1.1 | 1548 | ····-·CJIS-5.10.1.1 |
| 1549 | ····-·DISA-STIG-RHEL-07-040620 | 1549 | ····-·DISA-STIG-RHEL-07-040620 |
| 1550 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ | 1550 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects"·id="guide-tree-leaf-idm41843"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network_host_and_router_parameters"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects">Configure·Kernel·Parameter·for·Accepting·ICMP·Redirects·By·Default |
| 1551 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ | 1551 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 1552 | ·············· | 1552 | ·············· |
| 1553 | ····To·set·the·runtime·status·of·the·<code>net.ipv4. | 1553 | ····To·set·the·runtime·status·of·the·<code>net.ipv4.conf.default.accept_redirects</code>·kernel·parameter, |
| 1554 | ····run·the·following·command: | 1554 | ····run·the·following·command: |
| 1555 | ····<pre·xml:space="preserve">$·sudo·sysctl·-w·net.ipv4. | 1555 | ····<pre·xml:space="preserve">$·sudo·sysctl·-w·net.ipv4.conf.default.accept_redirects=0</pre> |
| 1556 | ····If·this·is·not·the·system's·default·value,·add·the·following·line·to·<code>/etc/sysctl.conf</code>: | 1556 | ····If·this·is·not·the·system's·default·value,·add·the·following·line·to·<code>/etc/sysctl.conf</code>: |
| 1557 | ····<pre·xml:space="preserve">net.ipv4. | 1557 | ····<pre·xml:space="preserve">net.ipv4.conf.default.accept_redirects·=·0</pre> |
| 1558 | ············</p><span·class="label·label-primary">Rationale:</span><p> | 1558 | ············</p><span·class="label·label-primary">Rationale:</span><p>ICMP·redirect·messages·are·used·by·routers·to·inform·hosts·that·a·more·direct |
| 1559 | 1559 | route·exists·for·a·particular·destination.·These·messages·modify·the·host's·route·table | |
| 1560 | and·are·unauthenticated.·An·illicit·ICMP·redirect·message·could·result·in·a·man-in-the-middle | ||
| 1561 | attack. | ||
| 1560 | <br> | 1562 | <br> |
| 1561 | 1563 | This·feature·of·the·IPv4·protocol·has·few·legitimate·uses.·It·should·be·disabled·unless· | |
| 1562 | a | 1564 | absolutely·required.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1563 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 1565 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 1564 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-8016 | 1566 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80163-9">CCE-80163-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1565 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-0406 | 1567 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040640</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86913r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.2</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·sc[·...·truncated·by·diffoscope;·len:·133,·SHA1:·6f3219a3e8449b36e8b829a0e96ab3e61408914d·...·]"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 1566 | sysctl_net_ipv4_ | 1568 | sysctl_net_ipv4_conf_default_accept_redirects_value="<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value">(N/A)</abbr>" |
| 1567 | # | 1569 | # |
| 1568 | #·Set·runtime·for·net.ipv4. | 1570 | #·Set·runtime·for·net.ipv4.conf.default.accept_redirects |
| 1569 | # | 1571 | # |
| 1570 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 1572 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf.default.accept_redirects=$sysctl_net_ipv4_conf_default_accept_redirects_value |
| 1571 | # | 1573 | # |
| 1572 | #·If·net.ipv4. | 1574 | #·If·net.ipv4.conf.default.accept_redirects·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1573 | #» else,·add·"net.ipv4. | 1575 | #» else,·add·"net.ipv4.conf.default.accept_redirects·=·value"·to·/etc/sysctl.conf |
| 1574 | # | 1576 | # |
| 1575 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1577 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1576 | #·it·does·not·exist. | 1578 | #·it·does·not·exist. |
| 1577 | # | 1579 | # |
| 1578 | #·Expects·arguments: | 1580 | #·Expects·arguments: |
| 1579 | # | 1581 | # |
| 1580 | #·config_file:» » Configuration·file·that·will·be·modified | 1582 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1648, 68 lines modified | Offset 1650, 69 lines modified | ||
| 1648 | ··else | 1650 | ··else |
| 1649 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1651 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1650 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1652 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1651 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1653 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1652 | ··fi | 1654 | ··fi |
| 1653 | } | 1655 | } |
| 1654 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4. | 1656 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_redirects'·"$sysctl_net_ipv4_conf_default_accept_redirects_value"·'CCE-80163-9' |
| 1655 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm418 | 1657 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41867">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41867"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·XCCDF·Value·sysctl_net_ipv4_conf_default_accept_redirects_value·#·promote·to·variable |
| 1656 | ··set_fact: | 1658 | ··set_fact: |
| 1657 | ····sysctl_net_ipv4_ | 1659 | ····sysctl_net_ipv4_conf_default_accept_redirects_value:·<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value">(N/A)</abbr> |
| 1658 | ··tags: | 1660 | ··tags: |
| 1659 | ····-·always | 1661 | ····-·always |
| 1660 | -·name:·Ensure·sysctl·net.ipv4. | 1662 | -·name:·Ensure·sysctl·net.ipv4.conf.default.accept_redirects·is·set |
| 1661 | ··sysctl: | 1663 | ··sysctl: |
| 1662 | ····name:·net.ipv4. | 1664 | ····name:·net.ipv4.conf.default.accept_redirects |
| 1663 | ····value:·"{{·sysctl_net_ipv4_ | 1665 | ····value:·"{{·sysctl_net_ipv4_conf_default_accept_redirects_value·}}" |
| 1664 | ····state:·present | 1666 | ····state:·present |
| 1665 | ····reload:·yes | 1667 | ····reload:·yes |
| 1666 | ··tags: | 1668 | ··tags: |
| 1667 | ····-·sysctl_net_ipv4_ | 1669 | ····-·sysctl_net_ipv4_conf_default_accept_redirects |
| 1668 | ····-·medium_severity | 1670 | ····-·medium_severity |
| 1669 | ····-·disable_strategy | 1671 | ····-·disable_strategy |
| 1670 | ····-·low_complexity | 1672 | ····-·low_complexity |
| 1671 | ····-·medium_disruption | 1673 | ····-·medium_disruption |
| Max diff block lines reached; 507223/528620 bytes (95.95%) of diff not shown. | |||
| Offset 196, 15 lines modified | Offset 196, 39 lines modified | ||
| 196 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_quagga">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Quagga·was·installed·and·activated,·but·the·system | 196 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_quagga">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Quagga·was·installed·and·activated,·but·the·system |
| 197 | does·not·need·to·act·as·a·router,·then·it·should·be·disabled | 197 | does·not·need·to·act·as·a·router,·then·it·should·be·disabled |
| 198 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_quagga"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_routing"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server | 198 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_quagga"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_routing"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server |
| 199 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at | 199 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at |
| 200 | least·one·nameserver.·However,·there·are·many·common·attacks | 200 | least·one·nameserver.·However,·there·are·many·common·attacks |
| 201 | involving·DNS·server·software,·and·this·server·software·should | 201 | involving·DNS·server·software,·and·this·server·software·should |
| 202 | be·disabled·on·any·system | 202 | be·disabled·on·any·system |
| 203 | on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_ | 203 | on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_isolation">Isolate·DNS·from·Other·Services |
| 204 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server | ||
| 205 | from·interfering·with·other·services.·This·is·done·both·to·protect·the | ||
| 206 | remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct | ||
| 207 | attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail | ||
| 208 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package: | ||
| 209 | <pre>$·sudo·yum·install·bind-chroot</pre> | ||
| 210 | Place·a·valid·named.conf·file·inside·the·chroot·jail: | ||
| 211 | <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf | ||
| 212 | $·sudo·chown·root:root·/var/named/chroot/etc/named.conf | ||
| 213 | $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre> | ||
| 214 | Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the | ||
| 215 | options·directive.·If·your·<code>named.conf</code>·includes: | ||
| 216 | <pre>options·{ | ||
| 217 | directory·"/path/to/DIRNAME·"; | ||
| 218 | ... | ||
| 219 | }</pre> | ||
| 220 | then·copy·that·directory·and·its·contents·from·the·original·zone·directory: | ||
| 221 | <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre> | ||
| 222 | Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>: | ||
| 223 | <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers | ||
| 224 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is | ||
| 225 | a·high-risk·service·which·must·frequently·be·made·available·to·the·entire | ||
| 226 | Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by | ||
| 227 | systems·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_protection">Protect·DNS·Data·from·Tampering·or·Attack | ||
| 204 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_protection">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·DNS·configuration·options·which·make·it | 228 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_protection">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·DNS·configuration·options·which·make·it |
| 205 | more·difficult·for·attackers·to·gain·access·to·private·DNS·data·or·to·modify | 229 | more·difficult·for·attackers·to·gain·access·to·private·DNS·data·or·to·modify |
| 206 | DNS·data.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">Run·Separate·DNS·Servers·for·External·and·Internal·Queries | 230 | DNS·data.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">Run·Separate·DNS·Servers·for·External·and·Internal·Queries |
| 207 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Is·it·possible·to·run·external·and·internal·nameservers·on | 231 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Is·it·possible·to·run·external·and·internal·nameservers·on |
| 208 | separate·systems?·If·so,·follow·the·configuration·guidance·in·this·section.·On | 232 | separate·systems?·If·so,·follow·the·configuration·guidance·in·this·section.·On |
| 209 | the·external·nameserver,·edit·<code>/etc/named.conf</code>·to·add·or·correct·the | 233 | the·external·nameserver,·edit·<code>/etc/named.conf</code>·to·add·or·correct·the |
| 210 | following·directives: | 234 | following·directives: |
| Offset 252, 39 lines modified | Offset 276, 15 lines modified | ||
| 252 | view·"external-view"·{ | 276 | view·"external-view"·{ |
| 253 | ··match-clients·{·any;·}; | 277 | ··match-clients·{·any;·}; |
| 254 | ··recursion·no; | 278 | ··recursion·no; |
| 255 | ··zone·"example.com·"·IN·{ | 279 | ··zone·"example.com·"·IN·{ |
| 256 | ····... | 280 | ····... |
| 257 | ··}; | 281 | ··}; |
| 258 | };</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_partition_with_views"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_d | 282 | };</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_partition_with_views"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dns_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dns_server">Disable·DNS·Server |
| 259 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server | ||
| 260 | from·interfering·with·other·services.·This·is·done·both·to·protect·the | ||
| 261 | remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct | ||
| 262 | attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail | ||
| 263 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package: | ||
| 264 | <pre>$·sudo·yum·install·bind-chroot</pre> | ||
| 265 | Place·a·valid·named.conf·file·inside·the·chroot·jail: | ||
| 266 | <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf | ||
| 267 | $·sudo·chown·root:root·/var/named/chroot/etc/named.conf | ||
| 268 | $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre> | ||
| 269 | Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the | ||
| 270 | options·directive.·If·your·<code>named.conf</code>·includes: | ||
| 271 | <pre>options·{ | ||
| 272 | directory·"/path/to/DIRNAME·"; | ||
| 273 | ... | ||
| 274 | }</pre> | ||
| 275 | then·copy·that·directory·and·its·contents·from·the·original·zone·directory: | ||
| 276 | <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre> | ||
| 277 | Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>: | ||
| 278 | <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers | ||
| 279 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is | ||
| 280 | a·high-risk·service·which·must·frequently·be·made·available·to·the·entire | ||
| 281 | Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by | ||
| 282 | systems·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dns_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dns_server">Disable·DNS·Server | ||
| 283 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dns_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DNS·software·should·be·disabled·on·any·systems·which·does·not | 283 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dns_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DNS·software·should·be·disabled·on·any·systems·which·does·not |
| 284 | need·to·be·a·nameserver.·Note·that·the·BIND·DNS·server·software·is | 284 | need·to·be·a·nameserver.·Note·that·the·BIND·DNS·server·software·is |
| 285 | not·installed·on·Red·Hat·Enterprise·Linux·7·by·default.·The·remainder·of·this·section | 285 | not·installed·on·Red·Hat·Enterprise·Linux·7·by·default.·The·remainder·of·this·section |
| 286 | discusses·secure·configuration·of·systems·which·must·be | 286 | discusses·secure·configuration·of·systems·which·must·be |
| 287 | nameservers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ldap">LDAP | 287 | nameservers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ldap">LDAP |
| 288 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>LDAP·is·a·popular·directory·service,·that·is,·a | 288 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>LDAP·is·a·popular·directory·service,·that·is,·a |
| 289 | standardized·way·of·looking·up·information·from·a·central·database. | 289 | standardized·way·of·looking·up·information·from·a·central·database. |
| Offset 1068, 30 lines modified | Offset 1068, 30 lines modified | ||
| 1068 | include·setuid·programs·may·provide·local·attackers·a·potential·path·to | 1068 | include·setuid·programs·may·provide·local·attackers·a·potential·path·to |
| 1069 | privilege·escalation.·Packages·that·include·network·services·may·give | 1069 | privilege·escalation.·Packages·that·include·network·services·may·give |
| 1070 | this·opportunity·to·network-based·attackers.·Packages·that·include | 1070 | this·opportunity·to·network-based·attackers.·Packages·that·include |
| 1071 | programs·which·are·predictably·executed·by·local·users·(e.g.·after | 1071 | programs·which·are·predictably·executed·by·local·users·(e.g.·after |
| 1072 | graphical·login)·may·provide·opportunities·for·trojan·horses·or·other | 1072 | graphical·login)·may·provide·opportunities·for·trojan·horses·or·other |
| 1073 | attack·code·to·be·run·undetected.·The·number·of·software·packages | 1073 | attack·code·to·be·run·undetected.·The·number·of·software·packages |
| 1074 | installed·on·a·system·can·almost·always·be·significantly·pruned·to·include | 1074 | installed·on·a·system·can·almost·always·be·significantly·pruned·to·include |
| 1075 | only·the·software·for·which·there·is·an·environmental·or·operational·need.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-minimize-software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle- | 1075 | only·the·software·for·which·there·is·an·environmental·or·operational·need.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-minimize-software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-least-privilege"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-least-privilege">Least·Privilege |
| 1076 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-use-security-tools">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Several·tools·exist·which·can·be·effectively·used·to·improve·a·system's | ||
| 1077 | resistance·to·and·detection·of·unknown·attacks.·These·tools·can·improve | ||
| 1078 | robustness·against·attack·at·the·cost·of·relatively·little·configuration | ||
| 1079 | effort.·In·particular,·this·guide·recommends·and·discusses·the·use·of | ||
| 1080 | host-based·firewalling,·SELinux·for·protection·against | ||
| 1081 | vulnerable·services,·and·a·logging·and·auditing·infrastructure·for | ||
| 1082 | detection·of·problems.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-use-security-tools"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-least-privilege"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-least-privilege">Least·Privilege | ||
| 1083 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-least-privilege">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Grant·the·least·privilege·necessary·for·user·accounts·and·software·to·perform·tasks. | 1076 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-least-privilege">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Grant·the·least·privilege·necessary·for·user·accounts·and·software·to·perform·tasks. |
| 1084 | For·example,·<code>sudo</code>·can·be·implemented·to·limit·authorization·to·super·user | 1077 | For·example,·<code>sudo</code>·can·be·implemented·to·limit·authorization·to·super·user |
| 1085 | accounts·on·the·system·only·to·designated·personnel.·Another·example·is·to·limit | 1078 | accounts·on·the·system·only·to·designated·personnel.·Another·example·is·to·limit |
| 1086 | logins·on·server·systems·to·only·those·administrators·who·need·to·log·into·them·in | 1079 | logins·on·server·systems·to·only·those·administrators·who·need·to·log·into·them·in |
| 1087 | order·to·perform·administration·tasks.·Using·SELinux·also·follows·the·principle·of | 1080 | order·to·perform·administration·tasks.·Using·SELinux·also·follows·the·principle·of |
| 1088 | least·privilege:·SELinux·policy·can·confine·software·to·perform·only·actions·on·the | 1081 | least·privilege:·SELinux·policy·can·confine·software·to·perform·only·actions·on·the |
| 1089 | system·that·are·specifically·allowed.·This·can·be·far·more·restrictive·than·the | 1082 | system·that·are·specifically·allowed.·This·can·be·far·more·restrictive·than·the |
| 1090 | actions·permissible·by·the·traditional·Unix·permissions·model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-se | 1083 | actions·permissible·by·the·traditional·Unix·permissions·model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-use-security-tools"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-use-security-tools"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-use-security-tools">Configure·Security·Tools·to·Improve·System·Robustness |
| 1084 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-use-security-tools">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Several·tools·exist·which·can·be·effectively·used·to·improve·a·system's | ||
| 1085 | resistance·to·and·detection·of·unknown·attacks.·These·tools·can·improve | ||
| 1086 | robustness·against·attack·at·the·cost·of·relatively·little·configuration | ||
| 1087 | effort.·In·particular,·this·guide·recommends·and·discusses·the·use·of | ||
| 1088 | host-based·firewalling,·SELinux·for·protection·against | ||
| 1089 | vulnerable·services,·and·a·logging·and·auditing·infrastructure·for | ||
| 1090 | detection·of·problems.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-use-security-tools"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-separate-servers"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-separate-servers"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-separate-servers">Run·Different·Network·Services·on·Separate·Systems | ||
| 1091 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-separate-servers">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Whenever·possible,·a·server·should·be·dedicated·to·serving·exactly·one | 1091 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-separate-servers">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Whenever·possible,·a·server·should·be·dedicated·to·serving·exactly·one |
| 1092 | network·service.·This·limits·the·number·of·other·services·that·can | 1092 | network·service.·This·limits·the·number·of·other·services·that·can |
| 1093 | be·compromised·in·the·event·that·an·attacker·is·able·to·successfully | 1093 | be·compromised·in·the·event·that·an·attacker·is·able·to·successfully |
| 1094 | exploit·a·software·flaw·in·one·network·service.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-separate-servers"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">Encrypt·Transmitted·Data·Whenever·Possible | 1094 | exploit·a·software·flaw·in·one·network·service.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-separate-servers"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">Encrypt·Transmitted·Data·Whenever·Possible |
| 1095 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Data·transmitted·over·a·network,·whether·wired·or·wireless,·is·susceptible | 1095 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Data·transmitted·over·a·network,·whether·wired·or·wireless,·is·susceptible |
| 1096 | to·passive·monitoring.·Whenever·practical·solutions·for·encrypting | 1096 | to·passive·monitoring.·Whenever·practical·solutions·for·encrypting |
| 1097 | such·data·exist,·they·should·be·applied.·Even·if·data·is·expected·to | 1097 | such·data·exist,·they·should·be·applied.·Even·if·data·is·expected·to |
| Offset 1156, 15 lines modified | Offset 1156, 35 lines modified | ||
| 1156 | especially·in·periods·of·high·traffic·which·may·be·the·result·of·an | 1156 | especially·in·periods·of·high·traffic·which·may·be·the·result·of·an |
| 1157 | attack.·In·addition,·remote·<code>rsyslog</code>·messages·are·not | 1157 | attack.·In·addition,·remote·<code>rsyslog</code>·messages·are·not |
| 1158 | authenticated·in·any·way·by·default,·so·it·is·easy·for·an·attacker·to | 1158 | authenticated·in·any·way·by·default,·so·it·is·easy·for·an·attacker·to |
| 1159 | introduce·spurious·messages·to·the·central·log·server.·Also,·some | 1159 | introduce·spurious·messages·to·the·central·log·server.·Also,·some |
| 1160 | problems·cause·loss·of·network·connectivity,·which·will·prevent·the | 1160 | problems·cause·loss·of·network·connectivity,·which·will·prevent·the |
| 1161 | sending·of·messages·to·the·central·server.·For·all·of·these·reasons,·it·is | 1161 | sending·of·messages·to·the·central·server.·For·all·of·these·reasons,·it·is |
| 1162 | better·to·store·log·messages·both·centrally·and·on·each·host,·so | 1162 | better·to·store·log·messages·both·centrally·and·on·each·host,·so |
| 1163 | that·they·can·be·correlated·if·necessary.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_sending_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 1163 | that·they·can·be·correlated·if·necessary.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_sending_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_log_rotation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_log_rotation">Ensure·All·Logs·are·Rotated·by·<tt>logrotate</tt> |
| 1164 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_log_rotation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Edit·the·file·<code>/etc/logrotate.d/syslog</code>.·Find·the·first | ||
| Max diff block lines reached; 51591/77709 bytes (66.39%) of diff not shown. | |||
| Offset 199, 103 lines modified | Offset 199, 103 lines modified | ||
| 199 | ····-·low_disruption | 199 | ····-·low_disruption |
| 200 | ····-·CCE-27336-7 | 200 | ····-·CCE-27336-7 |
| 201 | ····-·NIST-800-53-AC-17(8) | 201 | ····-·NIST-800-53-AC-17(8) |
| 202 | ····-·NIST-800-53-CM-7 | 202 | ····-·NIST-800-53-CM-7 |
| 203 | ····-·NIST-800-53-IA-5(1)(c) | 203 | ····-·NIST-800-53-IA-5(1)(c) |
| 204 | ····-·NIST-800-171-3.1.13 | 204 | ····-·NIST-800-171-3.1.13 |
| 205 | ····-·NIST-800-171-3.4.7 | 205 | ····-·NIST-800-171-3.4.7 |
| 206 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 206 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36065"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 207 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 207 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 208 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 208 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 209 | as·a·systemd·socket,·should·be·disabled. | 209 | as·a·systemd·socket,·should·be·disabled. |
| 210 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 210 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 211 | If·using·systemd,· | 211 | If·using·systemd,· |
| 212 | ········The·<code>r | 212 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 213 | ········<pre>$·sudo·systemctl·disable·r | 213 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 214 | means·that·data·from·the·login·session,·including·passwords·and | 214 | means·that·data·from·the·login·session,·including·passwords·and |
| 215 | all·other·information·transmitted·during·the·session,·can·be | 215 | all·other·information·transmitted·during·the·session,·can·be |
| 216 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 216 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 217 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 217 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 218 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27 | 218 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27337-5">CCE-27337-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 219 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 219 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 220 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 220 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 221 | # | 221 | # |
| 222 | #·Disable·r | 222 | #·Disable·rsh.socket·for·all·systemd·targets |
| 223 | # | 223 | # |
| 224 | systemctl·disable·r | 224 | systemctl·disable·rsh.socket |
| 225 | # | 225 | # |
| 226 | #·Stop·r | 226 | #·Stop·rsh.socket·if·currently·running |
| 227 | # | 227 | # |
| 228 | systemctl·stop·r | 228 | systemctl·stop·rsh.socket |
| 229 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 229 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36092">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36092"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 230 | ··service: | 230 | ··service: |
| 231 | ····name="{{item}}" | 231 | ····name="{{item}}" |
| 232 | ····enabled="no" | 232 | ····enabled="no" |
| 233 | ····state="stopped" | 233 | ····state="stopped" |
| 234 | ··register:·service_result | 234 | ··register:·service_result |
| 235 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 235 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 236 | ··with_items: | 236 | ··with_items: |
| 237 | ····-·r | 237 | ····-·rsh |
| 238 | ··tags: | 238 | ··tags: |
| 239 | ····-·service_r | 239 | ····-·service_rsh_disabled |
| 240 | ····-·high_severity | 240 | ····-·high_severity |
| 241 | ····-·disable_strategy | 241 | ····-·disable_strategy |
| 242 | ····-·low_complexity | 242 | ····-·low_complexity |
| 243 | ····-·low_disruption | 243 | ····-·low_disruption |
| 244 | ····-·CCE-27 | 244 | ····-·CCE-27337-5 |
| 245 | ····-·NIST-800-53-AC-17(8) | 245 | ····-·NIST-800-53-AC-17(8) |
| 246 | ····-·NIST-800-53-CM-7 | 246 | ····-·NIST-800-53-CM-7 |
| 247 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 247 | ····-·NIST-800-171-3.1.13 | 248 | ····-·NIST-800-171-3.1.13 |
| 248 | ····-·NIST-800-171-3.4.7 | 249 | ····-·NIST-800-171-3.4.7 |
| 249 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 250 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36097"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 250 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 251 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 251 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 252 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 252 | as·a·systemd·socket,·should·be·disabled. | 253 | as·a·systemd·socket,·should·be·disabled. |
| 253 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 254 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 254 | If·using·systemd,· | 255 | If·using·systemd,· |
| 255 | ········The·<code>r | 256 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 256 | ········<pre>$·sudo·systemctl·disable·r | 257 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 257 | means·that·data·from·the·login·session,·including·passwords·and | 258 | means·that·data·from·the·login·session,·including·passwords·and |
| 258 | all·other·information·transmitted·during·the·session,·can·be | 259 | all·other·information·transmitted·during·the·session,·can·be |
| 259 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 260 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 260 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 261 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 261 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27 | 262 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 262 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 263 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36122">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36122"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 263 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 264 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 264 | # | 265 | # |
| 265 | #·Disable·r | 266 | #·Disable·rexec.socket·for·all·systemd·targets |
| 266 | # | 267 | # |
| 267 | systemctl·disable·r | 268 | systemctl·disable·rexec.socket |
| 268 | # | 269 | # |
| 269 | #·Stop·r | 270 | #·Stop·rexec.socket·if·currently·running |
| 270 | # | 271 | # |
| 271 | systemctl·stop·r | 272 | systemctl·stop·rexec.socket |
| 272 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 273 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 273 | ··service: | 274 | ··service: |
| 274 | ····name="{{item}}" | 275 | ····name="{{item}}" |
| 275 | ····enabled="no" | 276 | ····enabled="no" |
| 276 | ····state="stopped" | 277 | ····state="stopped" |
| 277 | ··register:·service_result | 278 | ··register:·service_result |
| 278 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 279 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 279 | ··with_items: | 280 | ··with_items: |
| 280 | ····-·r | 281 | ····-·rexec |
| 281 | ··tags: | 282 | ··tags: |
| 282 | ····-·service_r | 283 | ····-·service_rexec_disabled |
| 283 | ····-·high_severity | 284 | ····-·high_severity |
| 284 | ····-·disable_strategy | 285 | ····-·disable_strategy |
| 285 | ····-·low_complexity | 286 | ····-·low_complexity |
| 286 | ····-·low_disruption | 287 | ····-·low_disruption |
| 287 | ····-·CCE-27 | 288 | ····-·CCE-27408-4 |
| 288 | ····-·NIST-800-53-AC-17(8) | 289 | ····-·NIST-800-53-AC-17(8) |
| 289 | ····-·NIST-800-53-CM-7 | 290 | ····-·NIST-800-53-CM-7 |
| 290 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 291 | ····-·NIST-800-171-3.1.13 | 291 | ····-·NIST-800-171-3.1.13 |
| 292 | ····-·NIST-800-171-3.4.7 | 292 | ····-·NIST-800-171-3.4.7 |
| 293 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 293 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 294 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 294 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 295 | the·following·command: | 295 | the·following·command: |
| 296 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 296 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 297 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 297 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| Offset 880, 26 lines modified | Offset 880, 26 lines modified | ||
| 880 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36368">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36368"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 880 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36368">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36368"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 881 | package·--remove=ypserv | 881 | package·--remove=ypserv |
| 882 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 882 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 883 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 883 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 884 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 884 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 885 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 885 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 886 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 886 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 887 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm364 | 887 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36467"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 888 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 888 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 889 | ············ | 889 | ············ |
| 890 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | 890 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 891 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | 891 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 892 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | 892 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, |
| 893 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | 893 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling |
| 894 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | 894 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents |
| 895 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 895 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 896 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 896 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 897 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27443-1">CCE-27443-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 897 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27443-1">CCE-27443-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 898 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 898 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36485">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36485"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 899 | # | 899 | # |
| 900 | #·Example·Call(s): | 900 | #·Example·Call(s): |
| 901 | # | 901 | # |
| Max diff block lines reached; 756516/783946 bytes (96.50%) of diff not shown. | |||
| Offset 207, 103 lines modified | Offset 207, 103 lines modified | ||
| 207 | ····-·low_disruption | 207 | ····-·low_disruption |
| 208 | ····-·CCE-27336-7 | 208 | ····-·CCE-27336-7 |
| 209 | ····-·NIST-800-53-AC-17(8) | 209 | ····-·NIST-800-53-AC-17(8) |
| 210 | ····-·NIST-800-53-CM-7 | 210 | ····-·NIST-800-53-CM-7 |
| 211 | ····-·NIST-800-53-IA-5(1)(c) | 211 | ····-·NIST-800-53-IA-5(1)(c) |
| 212 | ····-·NIST-800-171-3.1.13 | 212 | ····-·NIST-800-171-3.1.13 |
| 213 | ····-·NIST-800-171-3.4.7 | 213 | ····-·NIST-800-171-3.4.7 |
| 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36065"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 217 | as·a·systemd·socket,·should·be·disabled. | 217 | as·a·systemd·socket,·should·be·disabled. |
| 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 219 | If·using·systemd,· | 219 | If·using·systemd,· |
| 220 | ········The·<code>r | 220 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 221 | ········<pre>$·sudo·systemctl·disable·r | 221 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 222 | means·that·data·from·the·login·session,·including·passwords·and | 222 | means·that·data·from·the·login·session,·including·passwords·and |
| 223 | all·other·information·transmitted·during·the·session,·can·be | 223 | all·other·information·transmitted·during·the·session,·can·be |
| 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 226 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27 | 226 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27337-5">CCE-27337-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 227 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 227 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 228 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 228 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 229 | # | 229 | # |
| 230 | #·Disable·r | 230 | #·Disable·rsh.socket·for·all·systemd·targets |
| 231 | # | 231 | # |
| 232 | systemctl·disable·r | 232 | systemctl·disable·rsh.socket |
| 233 | # | 233 | # |
| 234 | #·Stop·r | 234 | #·Stop·rsh.socket·if·currently·running |
| 235 | # | 235 | # |
| 236 | systemctl·stop·r | 236 | systemctl·stop·rsh.socket |
| 237 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 237 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36092">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36092"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 238 | ··service: | 238 | ··service: |
| 239 | ····name="{{item}}" | 239 | ····name="{{item}}" |
| 240 | ····enabled="no" | 240 | ····enabled="no" |
| 241 | ····state="stopped" | 241 | ····state="stopped" |
| 242 | ··register:·service_result | 242 | ··register:·service_result |
| 243 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 243 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 244 | ··with_items: | 244 | ··with_items: |
| 245 | ····-·r | 245 | ····-·rsh |
| 246 | ··tags: | 246 | ··tags: |
| 247 | ····-·service_r | 247 | ····-·service_rsh_disabled |
| 248 | ····-·high_severity | 248 | ····-·high_severity |
| 249 | ····-·disable_strategy | 249 | ····-·disable_strategy |
| 250 | ····-·low_complexity | 250 | ····-·low_complexity |
| 251 | ····-·low_disruption | 251 | ····-·low_disruption |
| 252 | ····-·CCE-27 | 252 | ····-·CCE-27337-5 |
| 253 | ····-·NIST-800-53-AC-17(8) | 253 | ····-·NIST-800-53-AC-17(8) |
| 254 | ····-·NIST-800-53-CM-7 | 254 | ····-·NIST-800-53-CM-7 |
| 255 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 255 | ····-·NIST-800-171-3.1.13 | 256 | ····-·NIST-800-171-3.1.13 |
| 256 | ····-·NIST-800-171-3.4.7 | 257 | ····-·NIST-800-171-3.4.7 |
| 257 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 258 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36097"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 258 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 259 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 259 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 260 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 260 | as·a·systemd·socket,·should·be·disabled. | 261 | as·a·systemd·socket,·should·be·disabled. |
| 261 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 262 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 262 | If·using·systemd,· | 263 | If·using·systemd,· |
| 263 | ········The·<code>r | 264 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 264 | ········<pre>$·sudo·systemctl·disable·r | 265 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 265 | means·that·data·from·the·login·session,·including·passwords·and | 266 | means·that·data·from·the·login·session,·including·passwords·and |
| 266 | all·other·information·transmitted·during·the·session,·can·be | 267 | all·other·information·transmitted·during·the·session,·can·be |
| 267 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 268 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 268 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 269 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 269 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27 | 270 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 270 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 271 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36122">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36122"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 271 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 272 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 272 | # | 273 | # |
| 273 | #·Disable·r | 274 | #·Disable·rexec.socket·for·all·systemd·targets |
| 274 | # | 275 | # |
| 275 | systemctl·disable·r | 276 | systemctl·disable·rexec.socket |
| 276 | # | 277 | # |
| 277 | #·Stop·r | 278 | #·Stop·rexec.socket·if·currently·running |
| 278 | # | 279 | # |
| 279 | systemctl·stop·r | 280 | systemctl·stop·rexec.socket |
| 280 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 281 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 281 | ··service: | 282 | ··service: |
| 282 | ····name="{{item}}" | 283 | ····name="{{item}}" |
| 283 | ····enabled="no" | 284 | ····enabled="no" |
| 284 | ····state="stopped" | 285 | ····state="stopped" |
| 285 | ··register:·service_result | 286 | ··register:·service_result |
| 286 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 287 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 287 | ··with_items: | 288 | ··with_items: |
| 288 | ····-·r | 289 | ····-·rexec |
| 289 | ··tags: | 290 | ··tags: |
| 290 | ····-·service_r | 291 | ····-·service_rexec_disabled |
| 291 | ····-·high_severity | 292 | ····-·high_severity |
| 292 | ····-·disable_strategy | 293 | ····-·disable_strategy |
| 293 | ····-·low_complexity | 294 | ····-·low_complexity |
| 294 | ····-·low_disruption | 295 | ····-·low_disruption |
| 295 | ····-·CCE-27 | 296 | ····-·CCE-27408-4 |
| 296 | ····-·NIST-800-53-AC-17(8) | 297 | ····-·NIST-800-53-AC-17(8) |
| 297 | ····-·NIST-800-53-CM-7 | 298 | ····-·NIST-800-53-CM-7 |
| 298 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 299 | ····-·NIST-800-171-3.1.13 | 299 | ····-·NIST-800-171-3.1.13 |
| 300 | ····-·NIST-800-171-3.4.7 | 300 | ····-·NIST-800-171-3.4.7 |
| 301 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 301 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 302 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 302 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 303 | the·following·command: | 303 | the·following·command: |
| 304 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 304 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 305 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 305 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| Offset 888, 26 lines modified | Offset 888, 26 lines modified | ||
| 888 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36368">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36368"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 888 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36368">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36368"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 889 | package·--remove=ypserv | 889 | package·--remove=ypserv |
| 890 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 890 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 891 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 891 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 892 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 892 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 893 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 893 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 894 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 894 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 895 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm364 | 895 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36467"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 896 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 896 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 897 | ············ | 897 | ············ |
| 898 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | 898 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 899 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | 899 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 900 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | 900 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, |
| 901 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | 901 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling |
| 902 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | 902 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents |
| 903 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 903 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 904 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 904 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 905 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27443-1">CCE-27443-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 905 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27443-1">CCE-27443-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 906 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 906 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36485">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36485"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 907 | # | 907 | # |
| 908 | #·Example·Call(s): | 908 | #·Example·Call(s): |
| 909 | # | 909 | # |
| Max diff block lines reached; 1597358/1624788 bytes (98.31%) of diff not shown. | |||
| Offset 218, 103 lines modified | Offset 218, 103 lines modified | ||
| 218 | ····-·low_disruption | 218 | ····-·low_disruption |
| 219 | ····-·CCE-27336-7 | 219 | ····-·CCE-27336-7 |
| 220 | ····-·NIST-800-53-AC-17(8) | 220 | ····-·NIST-800-53-AC-17(8) |
| 221 | ····-·NIST-800-53-CM-7 | 221 | ····-·NIST-800-53-CM-7 |
| 222 | ····-·NIST-800-53-IA-5(1)(c) | 222 | ····-·NIST-800-53-IA-5(1)(c) |
| 223 | ····-·NIST-800-171-3.1.13 | 223 | ····-·NIST-800-171-3.1.13 |
| 224 | ····-·NIST-800-171-3.4.7 | 224 | ····-·NIST-800-171-3.4.7 |
| 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36065"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 226 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 226 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 227 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 227 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 228 | as·a·systemd·socket,·should·be·disabled. | 228 | as·a·systemd·socket,·should·be·disabled. |
| 229 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 229 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 230 | If·using·systemd,· | 230 | If·using·systemd,· |
| 231 | ········The·<code>r | 231 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 232 | ········<pre>$·sudo·systemctl·disable·r | 232 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 233 | means·that·data·from·the·login·session,·including·passwords·and | 233 | means·that·data·from·the·login·session,·including·passwords·and |
| 234 | all·other·information·transmitted·during·the·session,·can·be | 234 | all·other·information·transmitted·during·the·session,·can·be |
| 235 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 235 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 236 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 236 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 237 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27 | 237 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27337-5">CCE-27337-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 238 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 238 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 239 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 239 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 240 | # | 240 | # |
| 241 | #·Disable·r | 241 | #·Disable·rsh.socket·for·all·systemd·targets |
| 242 | # | 242 | # |
| 243 | systemctl·disable·r | 243 | systemctl·disable·rsh.socket |
| 244 | # | 244 | # |
| 245 | #·Stop·r | 245 | #·Stop·rsh.socket·if·currently·running |
| 246 | # | 246 | # |
| 247 | systemctl·stop·r | 247 | systemctl·stop·rsh.socket |
| 248 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 248 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36092">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36092"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 249 | ··service: | 249 | ··service: |
| 250 | ····name="{{item}}" | 250 | ····name="{{item}}" |
| 251 | ····enabled="no" | 251 | ····enabled="no" |
| 252 | ····state="stopped" | 252 | ····state="stopped" |
| 253 | ··register:·service_result | 253 | ··register:·service_result |
| 254 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 254 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 255 | ··with_items: | 255 | ··with_items: |
| 256 | ····-·r | 256 | ····-·rsh |
| 257 | ··tags: | 257 | ··tags: |
| 258 | ····-·service_r | 258 | ····-·service_rsh_disabled |
| 259 | ····-·high_severity | 259 | ····-·high_severity |
| 260 | ····-·disable_strategy | 260 | ····-·disable_strategy |
| 261 | ····-·low_complexity | 261 | ····-·low_complexity |
| 262 | ····-·low_disruption | 262 | ····-·low_disruption |
| 263 | ····-·CCE-27 | 263 | ····-·CCE-27337-5 |
| 264 | ····-·NIST-800-53-AC-17(8) | 264 | ····-·NIST-800-53-AC-17(8) |
| 265 | ····-·NIST-800-53-CM-7 | 265 | ····-·NIST-800-53-CM-7 |
| 266 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 266 | ····-·NIST-800-171-3.1.13 | 267 | ····-·NIST-800-171-3.1.13 |
| 267 | ····-·NIST-800-171-3.4.7 | 268 | ····-·NIST-800-171-3.4.7 |
| 268 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 269 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36097"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 269 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 270 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 270 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 271 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 271 | as·a·systemd·socket,·should·be·disabled. | 272 | as·a·systemd·socket,·should·be·disabled. |
| 272 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 273 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 273 | If·using·systemd,· | 274 | If·using·systemd,· |
| 274 | ········The·<code>r | 275 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 275 | ········<pre>$·sudo·systemctl·disable·r | 276 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 276 | means·that·data·from·the·login·session,·including·passwords·and | 277 | means·that·data·from·the·login·session,·including·passwords·and |
| 277 | all·other·information·transmitted·during·the·session,·can·be | 278 | all·other·information·transmitted·during·the·session,·can·be |
| 278 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 279 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 279 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 280 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 280 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27 | 281 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 281 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 282 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36122">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36122"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 282 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 283 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 283 | # | 284 | # |
| 284 | #·Disable·r | 285 | #·Disable·rexec.socket·for·all·systemd·targets |
| 285 | # | 286 | # |
| 286 | systemctl·disable·r | 287 | systemctl·disable·rexec.socket |
| 287 | # | 288 | # |
| 288 | #·Stop·r | 289 | #·Stop·rexec.socket·if·currently·running |
| 289 | # | 290 | # |
| 290 | systemctl·stop·r | 291 | systemctl·stop·rexec.socket |
| 291 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 292 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 292 | ··service: | 293 | ··service: |
| 293 | ····name="{{item}}" | 294 | ····name="{{item}}" |
| 294 | ····enabled="no" | 295 | ····enabled="no" |
| 295 | ····state="stopped" | 296 | ····state="stopped" |
| 296 | ··register:·service_result | 297 | ··register:·service_result |
| 297 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 298 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 298 | ··with_items: | 299 | ··with_items: |
| 299 | ····-·r | 300 | ····-·rexec |
| 300 | ··tags: | 301 | ··tags: |
| 301 | ····-·service_r | 302 | ····-·service_rexec_disabled |
| 302 | ····-·high_severity | 303 | ····-·high_severity |
| 303 | ····-·disable_strategy | 304 | ····-·disable_strategy |
| 304 | ····-·low_complexity | 305 | ····-·low_complexity |
| 305 | ····-·low_disruption | 306 | ····-·low_disruption |
| 306 | ····-·CCE-27 | 307 | ····-·CCE-27408-4 |
| 307 | ····-·NIST-800-53-AC-17(8) | 308 | ····-·NIST-800-53-AC-17(8) |
| 308 | ····-·NIST-800-53-CM-7 | 309 | ····-·NIST-800-53-CM-7 |
| 309 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 310 | ····-·NIST-800-171-3.1.13 | 310 | ····-·NIST-800-171-3.1.13 |
| 311 | ····-·NIST-800-171-3.4.7 | 311 | ····-·NIST-800-171-3.4.7 |
| 312 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 312 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 313 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 313 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 314 | the·following·command: | 314 | the·following·command: |
| 315 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 315 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 316 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 316 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| Offset 899, 26 lines modified | Offset 899, 26 lines modified | ||
| 899 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36368">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36368"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 899 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36368">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36368"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 900 | package·--remove=ypserv | 900 | package·--remove=ypserv |
| 901 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 901 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 902 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 902 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 903 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 903 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 904 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 904 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 905 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 905 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 906 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm364 | 906 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36467"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 907 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 907 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 908 | ············ | 908 | ············ |
| 909 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | 909 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 910 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | 910 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 911 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | 911 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, |
| 912 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | 912 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling |
| 913 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | 913 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents |
| 914 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 914 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 915 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 915 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 916 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27443-1">CCE-27443-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 916 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27443-1">CCE-27443-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 917 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 917 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36485">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36485"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 918 | # | 918 | # |
| 919 | #·Example·Call(s): | 919 | #·Example·Call(s): |
| 920 | # | 920 | # |
| Max diff block lines reached; 1597358/1624788 bytes (98.31%) of diff not shown. | |||
| Offset 590, 15 lines modified | Offset 590, 61 lines modified | ||
| 590 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the | 590 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the |
| 591 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features | 591 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features |
| 592 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the | 592 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the |
| 593 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to | 593 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to |
| 594 | a·central·logging·server. | 594 | a·central·logging·server. |
| 595 | This·section·discusses·how·to·configure·rsyslog·for | 595 | This·section·discusses·how·to·configure·rsyslog·for |
| 596 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and | 596 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and |
| 597 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 597 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_log_rotation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_log_rotation">Ensure·All·Logs·are·Rotated·by·<tt>logrotate</tt> |
| 598 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_log_rotation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Edit·the·file·<code>/etc/logrotate.d/syslog</code>.·Find·the·first | ||
| 599 | line,·which·should·look·like·this·(wrapped·for·clarity): | ||
| 600 | <pre>/var/log/messages·/var/log/secure·/var/log/maillog·/var/log/spooler·\ | ||
| 601 | ··/var/log/boot.log·/var/log/cron·{</pre> | ||
| 602 | Edit·this·line·so·that·it·contains·a·one-space-separated | ||
| 603 | listing·of·each·log·file·referenced·in·<code>/etc/rsyslog.conf</code>. | ||
| 604 | <br><br> | ||
| 605 | All·logs·in·use·on·a·system·must·be·rotated·regularly,·or·the | ||
| 606 | log·files·will·consume·disk·space·over·time,·eventually·interfering | ||
| 607 | with·system·operation.·The·file·<code>/etc/logrotate.d/syslog</code>·is·the | ||
| 608 | configuration·file·used·by·the·<code>logrotate</code>·program·to·maintain·all | ||
| 609 | log·files·written·by·<code>syslog</code>.·By·default,·it·rotates·logs·weekly·and | ||
| 610 | stores·four·archival·copies·of·each·log.·These·settings·can·be | ||
| 611 | modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are | ||
| 612 | sufficient·for·purposes·of·this·guide. | ||
| 613 | <br><br> | ||
| 614 | Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job | ||
| 615 | <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be | ||
| 616 | rotated·more·often·than·once·a·day,·some·other·mechanism·must·be | ||
| 617 | used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ensure_logrotate_activated"·id="guide-tree-leaf-idm40875"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_log_rotation"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated">Ensure·Logrotate·Runs·Periodically | ||
| 618 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ensure_logrotate_activated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>logrotate</code>·utility·allows·for·the·automatic·rotation·of· | ||
| 619 | log·files.··The·frequency·of·rotation·is·specified·in·<code>/etc/logrotate.conf</code>,· | ||
| 620 | which·triggers·a·cron·task.··To·configure·logrotate·to·run·daily,·add·or·correct· | ||
| 621 | the·following·line·in·<code>/etc/logrotate.conf</code>: | ||
| 622 | <pre>#·rotate·log·files·<i>frequency</i> | ||
| 623 | daily</pre></p><span·class="label·label-primary">Rationale:</span><p>Log·files·that·are·not·properly·rotated·run·the·risk·of·growing·so·large | ||
| 624 | that·they·fill·up·the·/var/log·partition.·Valuable·logging·information·could·be·lost | ||
| 625 | if·the·/var/log·partition·becomes·full.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 626 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 627 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80195-1">CCE-80195-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 628 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40888"><pre><code> | ||
| 629 | LOGROTATE_CONF_FILE="/etc/logrotate.conf" | ||
| 630 | CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" | ||
| 631 | #·daily·rotation·is·configured | ||
| 632 | grep·-q·"^daily$"·$LOGROTATE_CONF_FILE||·echo·"daily"·>>·$LOGROTATE_CONF_FILE | ||
| 633 | #·remove·any·line·configuring·weekly,·monthly·or·yearly·rotation | ||
| 634 | sed·-i·-r·"/^(weekly|monthly|yearly)$/d"·$LOGROTATE_CONF_FILE | ||
| 635 | #·configure·cron.daily·if·not·already | ||
| 636 | if·!·grep·-q·"^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$"·$CRON_DAILY_LOGROTATE_FILE;·then | ||
| 637 | » echo·"#!/bin/sh"·>·$CRON_DAILY_LOGROTATE_FILE | ||
| 638 | » echo·"/usr/sbin/logrotate·$LOGROTATE_CONF_FILE"·>>·$CRON_DAILY_LOGROTATE_FILE | ||
| 639 | fi | ||
| 640 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">Ensure·Proper·Configuration·of·Log·Files | ||
| 598 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·file·<code>/etc/rsyslog.conf</code>·controls·where·log·message·are·written. | 641 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·file·<code>/etc/rsyslog.conf</code>·controls·where·log·message·are·written. |
| 599 | These·are·controlled·by·lines·called·<i>rules</i>,·which·consist·of·a | 642 | These·are·controlled·by·lines·called·<i>rules</i>,·which·consist·of·a |
| 600 | <i>selector</i>·and·an·<i>action</i>. | 643 | <i>selector</i>·and·an·<i>action</i>. |
| 601 | These·rules·are·often·customized·depending·on·the·role·of·the·system,·the | 644 | These·rules·are·often·customized·depending·on·the·role·of·the·system,·the |
| 602 | requirements·of·the·environment,·and·whatever·may·enable | 645 | requirements·of·the·environment,·and·whatever·may·enable |
| 603 | the·administrator·to·most·effectively·make·use·of·log·data. | 646 | the·administrator·to·most·effectively·make·use·of·log·data. |
| 604 | The·default·rules·in·Red·Hat·Enterprise·Linux·7·are: | 647 | The·default·rules·in·Red·Hat·Enterprise·Linux·7·are: |
| Offset 609, 60 lines modified | Offset 655, 30 lines modified | ||
| 609 | *.emerg·················································* | 655 | *.emerg·················································* |
| 610 | uucp,news.crit··········································/var/log/spooler | 656 | uucp,news.crit··········································/var/log/spooler |
| 611 | local7.*················································/var/log/boot.log</pre> | 657 | local7.*················································/var/log/boot.log</pre> |
| 612 | See·the·man·page·<code>rsyslog.conf(5)</code>·for·more·information. | 658 | See·the·man·page·<code>rsyslog.conf(5)</code>·for·more·information. |
| 613 | <i>Note·that·the·<code>rsyslog</code>·daemon·can·be·configured·to·use·a·timestamp·format·that | 659 | <i>Note·that·the·<code>rsyslog</code>·daemon·can·be·configured·to·use·a·timestamp·format·that |
| 614 | some·log·processing·programs·may·not·understand.·If·this·occurs,· | 660 | some·log·processing·programs·may·not·understand.·If·this·occurs,· |
| 615 | edit·the·file·<code>/etc/rsyslog.conf</code>·and·add·or·edit·the·following·line:</i> | 661 | edit·the·file·<code>/etc/rsyslog.conf</code>·and·add·or·edit·the·following·line:</i> |
| 616 | <pre>$·ActionFileDefaultTemplate·RSYSLOG_TraditionalFileFormat</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ | 662 | <pre>$·ActionFileDefaultTemplate·RSYSLOG_TraditionalFileFormat</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·id="guide-tree-leaf-idm40916"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">Ensure·System·Log·Files·Have·Correct·Permissions |
| 617 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·group-owner·of·all·log·files·written·by | ||
| 618 | <code>rsyslog</code>·should·be·root. | ||
| 619 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | ||
| 620 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. | ||
| 621 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | ||
| 622 | run·the·following·command·to·inspect·the·file's·group·owner: | ||
| 623 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | ||
| 624 | If·the·owner·is·not·<code>root</code>,·run·the·following·command·to | ||
| 625 | correct·this: | ||
| 626 | <pre>$·sudo·chgrp·root·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>The·log·files·generated·by·rsyslog·contain·valuable·information·regarding·system | ||
| 627 | configuration,·user·authentication,·and·other·such·information.·Log·files·should·be | ||
| 628 | protected·from·unauthorized·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 629 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 630 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80190-2">CCE-80190-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 631 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership"·id="guide-tree-leaf-idm40906"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership">Ensure·Log·Files·Are·Owned·By·Appropriate·User | ||
| 632 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_ownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·owner·of·all·log·files·written·by | ||
| 633 | <code>rsyslog</code>·should·be·root. | ||
| 634 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | ||
| 635 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. | ||
| 636 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | ||
| 637 | run·the·following·command·to·inspect·the·file's·owner: | ||
| 638 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | ||
| 639 | If·the·owner·is·not·<code>root</code>,·run·the·following·command·to | ||
| 640 | correct·this: | ||
| 641 | <pre>$·sudo·chown·root·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>The·log·files·generated·by·rsyslog·contain·valuable·information·regarding·system | ||
| 642 | configuration,·user·authentication,·and·other·such·information.·Log·files·should·be | ||
| 643 | protected·from·unauthorized·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 644 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 645 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80189-4">CCE-80189-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 646 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·id="guide-tree-leaf-idm40951"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">Ensure·System·Log·Files·Have·Correct·Permissions | ||
| 647 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·file·permissions·for·all·log·files·written·by | 663 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·file·permissions·for·all·log·files·written·by |
| 648 | <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive. | 664 | <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive. |
| 649 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | 665 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in |
| 650 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.· | 666 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.· |
| 651 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | 667 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, |
| 652 | run·the·following·command·to·inspect·the·file's·permissions: | 668 | run·the·following·command·to·inspect·the·file's·permissions: |
| 653 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | 669 | <pre>$·ls·-l·<i>LOGFILE</i></pre> |
| 654 | If·the·permissions·are·not·600·or·more·restrictive, | 670 | If·the·permissions·are·not·600·or·more·restrictive, |
| 655 | run·the·following·command·to·correct·this: | 671 | run·the·following·command·to·correct·this: |
| 656 | <pre>$·sudo·chmod·0600·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Log·files·can·contain·valuable·information·regarding·system | 672 | <pre>$·sudo·chmod·0600·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Log·files·can·contain·valuable·information·regarding·system |
| 657 | configuration.·If·the·system·log·files·are·not·protected·unauthorized | 673 | configuration.·If·the·system·log·files·are·not·protected·unauthorized |
| 658 | users·could·change·the·logged·data,·eliminating·their·forensic·value.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 674 | users·could·change·the·logged·data,·eliminating·their·forensic·value.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 659 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 675 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 660 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80191-0">CCE-80191-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 676 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80191-0">CCE-80191-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 661 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.3</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm409 | 677 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.3</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40935"><pre><code> |
| 662 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions | 678 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions |
| 663 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf | 679 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf |
| 664 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" | 680 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" |
| 665 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive | 681 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive |
| 666 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) | 682 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) |
| 667 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) | 683 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) |
| 668 | #·Declare·an·array·to·hold·the·final·list·of·different·log·file·paths | 684 | #·Declare·an·array·to·hold·the·final·list·of·different·log·file·paths |
| Offset 707, 86 lines modified | Offset 723, 70 lines modified | ||
| 707 | » #·Also·for·each·log·file·check·if·its·permissions·differ·from·600.·If·so,·correct·them | 723 | » #·Also·for·each·log·file·check·if·its·permissions·differ·from·600.·If·so,·correct·them |
| 708 | » if·[·"$(/usr/bin/stat·-c·%a·"$PATH")"·-ne·600·] | 724 | » if·[·"$(/usr/bin/stat·-c·%a·"$PATH")"·-ne·600·] |
| 709 | » then | 725 | » then |
| Max diff block lines reached; 487409/506621 bytes (96.21%) of diff not shown. | |||
| Offset 1565, 15 lines modified | Offset 1565, 15 lines modified | ||
| 1565 | The·following·recommendations·describe·how·to·strengthen·the | 1565 | The·following·recommendations·describe·how·to·strengthen·the |
| 1566 | default·ruleset·configuration·file.·An·alternative·to·editing·this | 1566 | default·ruleset·configuration·file.·An·alternative·to·editing·this |
| 1567 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to | 1567 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to |
| 1568 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> | 1568 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> |
| 1569 | and·<code>/etc/firewalld/zones</code>·directories. | 1569 | and·<code>/etc/firewalld/zones</code>·directories. |
| 1570 | <br><br> | 1570 | <br><br> |
| 1571 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address | 1571 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address |
| 1572 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm41 | 1572 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm41167"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">Set·Default·firewalld·Zone·for·Incoming·Packets |
| 1573 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for | 1573 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for |
| 1574 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, | 1574 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, |
| 1575 | modify·the·following·line·in | 1575 | modify·the·following·line·in |
| 1576 | <code>/etc/firewalld/firewalld.conf</code>·to·be: | 1576 | <code>/etc/firewalld/firewalld.conf</code>·to·be: |
| 1577 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all | 1577 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all |
| 1578 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the | 1578 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the |
| 1579 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. | 1579 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. |
| Offset 1639, 25 lines modified | Offset 1639, 25 lines modified | ||
| 1639 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn | 1639 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn |
| 1640 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind | 1640 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind |
| 1641 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client | 1641 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client |
| 1642 | vnc-server·wbem-https | 1642 | vnc-server·wbem-https |
| 1643 | </pre> | 1643 | </pre> |
| 1644 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld | 1644 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld |
| 1645 | service·reload,·enter·the·following·command·as·root: | 1645 | service·reload,·enter·the·following·command·as·root: |
| 1646 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm41 | 1646 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm41298"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled">Verify·firewalld·Enabled |
| 1647 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 1647 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 1648 | ·············· | 1648 | ·············· |
| 1649 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: | 1649 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: |
| 1650 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> | 1650 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> |
| 1651 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture | 1651 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture |
| 1652 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | 1652 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This |
| 1653 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1653 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1654 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 1654 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 1655 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27361-5">CCE-27361-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1655 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27361-5">CCE-27361-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1656 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040520</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1656 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040520</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41314">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41314"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 1657 | # | 1657 | # |
| 1658 | #·Example·Call(s): | 1658 | #·Example·Call(s): |
| 1659 | # | 1659 | # |
| 1660 | #·····service_command·enable·bluetooth | 1660 | #·····service_command·enable·bluetooth |
| 1661 | #·····service_command·disable·bluetooth.service | 1661 | #·····service_command·disable·bluetooth.service |
| 1662 | # | 1662 | # |
| 1663 | #·····Using·xinetd: | 1663 | #·····Using·xinetd: |
| Offset 1725, 15 lines modified | Offset 1725, 15 lines modified | ||
| 1725 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 1725 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 1726 | ··fi | 1726 | ··fi |
| 1727 | fi | 1727 | fi |
| 1728 | } | 1728 | } |
| 1729 | service_command·enable·firewalld | 1729 | service_command·enable·firewalld |
| 1730 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1730 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41316">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41316"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·firewalld |
| 1731 | ··service: | 1731 | ··service: |
| 1732 | ····name="{{item}}" | 1732 | ····name="{{item}}" |
| 1733 | ····enabled="yes" | 1733 | ····enabled="yes" |
| 1734 | ····state="started" | 1734 | ····state="started" |
| 1735 | ··with_items: | 1735 | ··with_items: |
| 1736 | ····-·firewalld | 1736 | ····-·firewalld |
| 1737 | ··tags: | 1737 | ··tags: |
| Offset 2297, 15 lines modified | Offset 2297, 30 lines modified | ||
| 2297 | The·virtual·devices·<code>/dev/console</code> | 2297 | The·virtual·devices·<code>/dev/console</code> |
| 2298 | and·<code>/dev/tty*</code>·represent·the·system·consoles·(accessible·via | 2298 | and·<code>/dev/tty*</code>·represent·the·system·consoles·(accessible·via |
| 2299 | the·Ctrl-Alt-F1·through·Ctrl-Alt-F6·keyboard·sequences·on·a·default | 2299 | the·Ctrl-Alt-F1·through·Ctrl-Alt-F6·keyboard·sequences·on·a·default |
| 2300 | installation).·The·default·securetty·file·also·contains·<code>/dev/vc/*</code>. | 2300 | installation).·The·default·securetty·file·also·contains·<code>/dev/vc/*</code>. |
| 2301 | These·are·likely·to·be·deprecated·in·most·environments,·but·may·be·retained | 2301 | These·are·likely·to·be·deprecated·in·most·environments,·but·may·be·retained |
| 2302 | for·compatibility.·Root·should·also·be·prohibited·from·connecting | 2302 | for·compatibility.·Root·should·also·be·prohibited·from·connecting |
| 2303 | via·network·protocols.·Other·sections·of·this·document | 2303 | via·network·protocols.·Other·sections·of·this·document |
| 2304 | include·guidance·describing·how·to·prevent·root·from·logging·in·via·SSH.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 2304 | include·guidance·describing·how·to·prevent·root·from·logging·in·via·SSH.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero"·id="guide-tree-leaf-idm51790"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_root_logins"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero">Verify·Only·Root·Has·UID·0 |
| 2305 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·any·account·other·than·root·has·a·UID·of·0,·this·misconfiguration·should· | ||
| 2306 | be·investigated·and·the·accounts·other·than·root·should·be·removed·or· | ||
| 2307 | have·their·UID·changed. | ||
| 2308 | <br> | ||
| 2309 | If·the·account·is·associated·with·system·commands·or·applications·the·UID·should·be·changed | ||
| 2310 | to·one·greater·than·"0"·but·less·than·"1000."·Otherwise·assign·a·UID·greater·than·"1000"·that | ||
| 2311 | has·not·already·been·assigned.</p><span·class="label·label-primary">Rationale:</span><p>An·account·has·root·authority·if·it·has·a·UID·of·0.·Multiple·accounts | ||
| 2312 | with·a·UID·of·0·afford·more·opportunity·for·potential·intruders·to | ||
| 2313 | guess·a·password·for·a·privileged·account.·Proper·configuration·of | ||
| 2314 | sudo·is·recommended·to·afford·multiple·system·administrators | ||
| 2315 | access·to·root·privileges·in·an·accountable·manner.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 2316 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 2317 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27175-9">CCE-27175-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 2318 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020310</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86629r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm51806">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm51806"><pre><code>awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | ||
| 2319 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts"·id="guide-tree-leaf-idm51860"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_root_logins"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts">Ensure·that·System·Accounts·Do·Not·Run·a·Shell·Upon·Login | ||
| 2305 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Some·accounts·are·not·associated·with·a·human·user·of·the·system,·and·exist·to | 2320 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Some·accounts·are·not·associated·with·a·human·user·of·the·system,·and·exist·to |
| 2306 | perform·some·administrative·function.·Should·an·attacker·be·able·to·log·into | 2321 | perform·some·administrative·function.·Should·an·attacker·be·able·to·log·into |
| 2307 | these·accounts,·they·should·not·be·granted·access·to·a·shell. | 2322 | these·accounts,·they·should·not·be·granted·access·to·a·shell. |
| 2308 | <br><br> | 2323 | <br><br> |
| 2309 | The·login·shell·for·each·local·account·is·stored·in·the·last·field·of·each·line | 2324 | The·login·shell·for·each·local·account·is·stored·in·the·last·field·of·each·line |
| 2310 | in·<code>/etc/passwd</code>.·System·accounts·are·those·user·accounts·with·a·user·ID | 2325 | in·<code>/etc/passwd</code>.·System·accounts·are·those·user·accounts·with·a·user·ID |
| 2311 | less·than·UID_MIN,·where·value·of·UID_MIN·directive·is·set·in | 2326 | less·than·UID_MIN,·where·value·of·UID_MIN·directive·is·set·in |
| Offset 2313, 55 lines modified | Offset 2328, 40 lines modified | ||
| 2313 | to·1000,·thus·system·accounts·are·those·user·accounts·with·a·user·ID·less·than | 2328 | to·1000,·thus·system·accounts·are·those·user·accounts·with·a·user·ID·less·than |
| 2314 | 1000.·The·user·ID·is·stored·in·the·third·field.·If·any·system·account | 2329 | 1000.·The·user·ID·is·stored·in·the·third·field.·If·any·system·account |
| 2315 | <i>SYSACCT</i>·(other·than·root)·has·a·login·shell,·disable·it·with·the | 2330 | <i>SYSACCT</i>·(other·than·root)·has·a·login·shell,·disable·it·with·the |
| 2316 | command:·<pre>$·sudo·usermod·-s·/sbin/nologin·<i>SYSACCT</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Ensuring·shells·are·not·given·to·system·accounts·upon·login·makes·it·more | 2331 | command:·<pre>$·sudo·usermod·-s·/sbin/nologin·<i>SYSACCT</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Ensuring·shells·are·not·given·to·system·accounts·upon·login·makes·it·more |
| 2317 | difficult·for·attackers·to·make·use·of·system·accounts.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 2332 | difficult·for·attackers·to·make·use·of·system·accounts.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 2318 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 2333 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 2319 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26448-1">CCE-26448-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 2334 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26448-1">CCE-26448-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 2320 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.4.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_r | 2335 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.4.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_password_storage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_password_storage">Verify·Proper·Storage·and·Existence·of·Password |
| 2321 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·any·account·other·than·root·has·a·UID·of·0,·this·misconfiguration·should· | ||
| 2322 | be·investigated·and·the·accounts·other·than·root·should·be·removed·or· | ||
| 2323 | have·their·UID·changed. | ||
| 2324 | <br> | ||
| 2325 | If·the·account·is·associated·with·system·commands·or·applications·the·UID·should·be·changed | ||
| 2326 | to·one·greater·than·"0"·but·less·than·"1000."·Otherwise·assign·a·UID·greater·than·"1000"·that | ||
| 2327 | has·not·already·been·assigned.</p><span·class="label·label-primary">Rationale:</span><p>An·account·has·root·authority·if·it·has·a·UID·of·0.·Multiple·accounts | ||
| 2328 | with·a·UID·of·0·afford·more·opportunity·for·potential·intruders·to | ||
| 2329 | guess·a·password·for·a·privileged·account.·Proper·configuration·of | ||
| 2330 | sudo·is·recommended·to·afford·multiple·system·administrators | ||
| 2331 | access·to·root·privileges·in·an·accountable·manner.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 2332 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 2333 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27175-9">CCE-27175-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 2334 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020310</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86629r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm51928">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm51928"><pre><code>awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | ||
| 2335 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_password_storage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_password_storage">Verify·Proper·Storage·and·Existence·of·Password | ||
| 2336 | Hashes | 2336 | Hashes |
| 2337 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_password_storage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·password·hashes·for·local·accounts·are·stored | 2337 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_password_storage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·password·hashes·for·local·accounts·are·stored |
| 2338 | in·the·second·field·(colon-separated)·in | 2338 | in·the·second·field·(colon-separated)·in |
| 2339 | <code>/etc/shadow</code>.·This·file·should·be·readable·only·by | 2339 | <code>/etc/shadow</code>.·This·file·should·be·readable·only·by |
| 2340 | processes·running·with·root·credentials,·preventing·users·from | 2340 | processes·running·with·root·credentials,·preventing·users·from |
| 2341 | casually·accessing·others'·password·hashes·and·attempting | 2341 | casually·accessing·others'·password·hashes·and·attempting |
| 2342 | to·crack·them. | 2342 | to·crack·them. |
| 2343 | However,·it·remains·possible·to·misconfigure·the·system | 2343 | However,·it·remains·possible·to·misconfigure·the·system |
| 2344 | and·store·password·hashes | 2344 | and·store·password·hashes |
| 2345 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or | 2345 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or |
| 2346 | to·even·store·passwords·themselves·in·plaintext·on·the·system. | 2346 | to·even·store·passwords·themselves·in·plaintext·on·the·system. |
| 2347 | Using·system-provided·tools·for·password·change/creation | 2347 | Using·system-provided·tools·for·password·change/creation |
| 2348 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm5 | 2348 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm51953"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_no_empty_passwords">Prevent·Log·In·to·Accounts·With·Empty·Password |
| 2349 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication | 2349 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication |
| 2350 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log | 2350 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log |
| Max diff block lines reached; 108874/133695 bytes (81.43%) of diff not shown. | |||
| Offset 730, 23 lines modified | Offset 730, 23 lines modified | ||
| 730 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the | 730 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the |
| 731 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features | 731 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features |
| 732 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the | 732 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the |
| 733 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to | 733 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to |
| 734 | a·central·logging·server. | 734 | a·central·logging·server. |
| 735 | This·section·discusses·how·to·configure·rsyslog·for | 735 | This·section·discusses·how·to·configure·rsyslog·for |
| 736 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and | 736 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and |
| 737 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·id="guide-tree-leaf-idm4108 | 737 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·id="guide-tree-leaf-idm41088"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">Enable·rsyslog·Service |
| 738 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsyslog</code>·service·provides·syslog-style·logging·by·default·on·Red·Hat·Enterprise·Linux·7. | 738 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsyslog</code>·service·provides·syslog-style·logging·by·default·on·Red·Hat·Enterprise·Linux·7. |
| 739 | ········The·<code>rsyslog</code>·service·can·be·enabled·with·the·following·command: | 739 | ········The·<code>rsyslog</code>·service·can·be·enabled·with·the·following·command: |
| 740 | ········<pre>$·sudo·systemctl·enable·rsyslog.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsyslog</code>·service·must·be·running·in·order·to·provide | 740 | ········<pre>$·sudo·systemctl·enable·rsyslog.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsyslog</code>·service·must·be·running·in·order·to·provide |
| 741 | logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 741 | logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 742 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 742 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 743 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80188-6">CCE-80188-6</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 743 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80188-6">CCE-80188-6</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 744 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.12.3.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4110 | 744 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.12.3.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 745 | # | 745 | # |
| 746 | #·Example·Call(s): | 746 | #·Example·Call(s): |
| 747 | # | 747 | # |
| 748 | #·····service_command·enable·bluetooth | 748 | #·····service_command·enable·bluetooth |
| 749 | #·····service_command·disable·bluetooth.service | 749 | #·····service_command·disable·bluetooth.service |
| 750 | # | 750 | # |
| 751 | #·····Using·xinetd: | 751 | #·····Using·xinetd: |
| Offset 814, 15 lines modified | Offset 814, 15 lines modified | ||
| 814 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 814 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 815 | ··fi | 815 | ··fi |
| 816 | fi | 816 | fi |
| 817 | } | 817 | } |
| 818 | service_command·enable·rsyslog | 818 | service_command·enable·rsyslog |
| 819 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm411 | 819 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41110">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41110"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·rsyslog |
| 820 | ··service: | 820 | ··service: |
| 821 | ····name="{{item}}" | 821 | ····name="{{item}}" |
| 822 | ····enabled="yes" | 822 | ····enabled="yes" |
| 823 | ····state="started" | 823 | ····state="started" |
| 824 | ··with_items: | 824 | ··with_items: |
| 825 | ····-·rsyslog | 825 | ····-·rsyslog |
| 826 | ··tags: | 826 | ··tags: |
| Offset 929, 27 lines modified | Offset 929, 27 lines modified | ||
| 929 | casually·accessing·others'·password·hashes·and·attempting | 929 | casually·accessing·others'·password·hashes·and·attempting |
| 930 | to·crack·them. | 930 | to·crack·them. |
| 931 | However,·it·remains·possible·to·misconfigure·the·system | 931 | However,·it·remains·possible·to·misconfigure·the·system |
| 932 | and·store·password·hashes | 932 | and·store·password·hashes |
| 933 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or | 933 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or |
| 934 | to·even·store·passwords·themselves·in·plaintext·on·the·system. | 934 | to·even·store·passwords·themselves·in·plaintext·on·the·system. |
| 935 | Using·system-provided·tools·for·password·change/creation | 935 | Using·system-provided·tools·for·password·change/creation |
| 936 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm5 | 936 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm51953"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_no_empty_passwords">Prevent·Log·In·to·Accounts·With·Empty·Password |
| 937 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication | 937 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication |
| 938 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log | 938 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log |
| 939 | into·the·account·without·authentication.·Remove·any·instances·of·the·<code>nullok</code> | 939 | into·the·account·without·authentication.·Remove·any·instances·of·the·<code>nullok</code> |
| 940 | option·in·<code>/etc/pam.d/system-auth</code>·to | 940 | option·in·<code>/etc/pam.d/system-auth</code>·to |
| 941 | prevent·logins·with·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>If·an·account·has·an·empty·password,·anyone·could·log·in·and | 941 | prevent·logins·with·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>If·an·account·has·an·empty·password,·anyone·could·log·in·and |
| 942 | run·commands·with·the·privileges·of·that·account.·Accounts·with | 942 | run·commands·with·the·privileges·of·that·account.·Accounts·with |
| 943 | empty·passwords·should·never·be·used·in·operational·environments.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 943 | empty·passwords·should·never·be·used·in·operational·environments.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 944 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 944 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 945 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27286-4">CCE-27286-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 945 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27286-4">CCE-27286-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 946 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010290</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86561r2_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm5 | 946 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010290</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86561r2_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm51984">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm51984"><pre><code>sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth |
| 947 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | 947 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth |
| 948 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm5 | 948 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm51985">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm51985"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" |
| 949 | ··replace: | 949 | ··replace: |
| 950 | ····dest:·/etc/pam.d/system-auth | 950 | ····dest:·/etc/pam.d/system-auth |
| 951 | ····follow:·yes | 951 | ····follow:·yes |
| 952 | ····regexp:·'nullok' | 952 | ····regexp:·'nullok' |
| 953 | ··tags: | 953 | ··tags: |
| 954 | ····-·no_empty_passwords | 954 | ····-·no_empty_passwords |
| 955 | ····-·high_severity | 955 | ····-·high_severity |
| Offset 1147, 160 lines modified | Offset 1147, 31 lines modified | ||
| 1147 | <br><br> | 1147 | <br><br> |
| 1148 | The·only·authorized·public·directories·are·those·temporary·directories·supplied·with·the·system,· | 1148 | The·only·authorized·public·directories·are·those·temporary·directories·supplied·with·the·system,· |
| 1149 | or·those·designed·to·be·temporary·file·repositories.··The·setting·is·normally·reserved·for·directories· | 1149 | or·those·designed·to·be·temporary·file·repositories.··The·setting·is·normally·reserved·for·directories· |
| 1150 | used·by·the·system,·by·users·for·temporary·file·storage·(such·as·<code>/tmp</code>),·and·for·directories· | 1150 | used·by·the·system,·by·users·for·temporary·file·storage·(such·as·<code>/tmp</code>),·and·for·directories· |
| 1151 | requiring·global·read/write·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1151 | requiring·global·read/write·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1152 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 1152 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 1153 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80130-8">CCE-80130-8</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1153 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80130-8">CCE-80130-8</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1154 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.21</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 1154 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.21</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_partitions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_partitions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_partitions">Restrict·Partition·Mount·Options |
| 1155 | Filesystems | ||
| 1156 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mounting">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Linux·includes·a·number·of·facilities·for·the·automated·addition | ||
| 1157 | and·removal·of·filesystems·on·a·running·system.··These·facilities·may·be | ||
| 1158 | necessary·in·many·environments,·but·this·capability·also·carries·some·risk·--·whether·direct | ||
| 1159 | risk·from·allowing·users·to·introduce·arbitrary·filesystems, | ||
| 1160 | or·risk·that·software·flaws·in·the·automated·mount·facility·itself·could | ||
| 1161 | allow·an·attacker·to·compromise·the·system. | ||
| 1162 | <br><br> | ||
| 1163 | This·command·can·be·used·to·list·the·types·of·filesystems·that·are | ||
| 1164 | available·to·the·currently·executing·kernel: | ||
| 1165 | <pre>$·find·/lib/modules/`uname·-r`/kernel/fs·-type·f·-name·'*.ko'</pre> | ||
| 1166 | If·these·filesystems·are·not·required·then·they·can·be·explicitly·disabled | ||
| 1167 | in·a·configuratio·file·in··<code>/etc/modprobe.d</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mounting"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_autofs_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_autofs_disabled"·id="guide-tree-leaf-idm54599"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mounting"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_autofs_disabled">Disable·the·Automounter | ||
| 1168 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_autofs_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>autofs</code>·daemon·mounts·and·unmounts·filesystems,·such·as·user | ||
| 1169 | home·directories·shared·via·NFS,·on·demand.·In·addition,·autofs·can·be·used·to·handle | ||
| 1170 | removable·media,·and·the·default·configuration·provides·the·cdrom·device·as·<code>/misc/cd</code>. | ||
| 1171 | However,·this·method·of·providing·access·to·removable·media·is·not·common,·so·autofs | ||
| 1172 | can·almost·always·be·disabled·if·NFS·is·not·in·use.·Even·if·NFS·is·required,·it·may·be | ||
| 1173 | possible·to·configure·filesystem·mounts·statically·by·editing·<code>/etc/fstab</code> | ||
| 1174 | rather·than·relying·on·the·automounter. | ||
| 1175 | <br><br> | ||
| 1176 | ········The·<code>autofs</code>·service·can·be·disabled·with·the·following·command: | ||
| 1177 | ········<pre>$·sudo·systemctl·disable·autofs.service</pre></p><span·class="label·label-primary">Rationale:</span><p>Disabling·the·automounter·permits·the·administrator·to | ||
| 1178 | statically·control·filesystem·mounting·through·<code>/etc/fstab</code>. | ||
| 1179 | <br><br> | ||
| 1180 | Additionally,·automatically·mounting·filesystems·permits·easy·introduction·of | ||
| 1181 | unknown·devices,·thereby·facilitating·malicious·activity.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 1182 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 1183 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27498-5">CCE-27498-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 1184 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020110</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86609r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.22</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000778</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001958</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000114-GPOS-00059</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000378-GPOS-00163</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm54635">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm54635"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 1185 | # | ||
| 1186 | #·Example·Call(s): | ||
| 1187 | # | ||
| 1188 | #·····service_command·enable·bluetooth | ||
| 1189 | #·····service_command·disable·bluetooth.service | ||
| 1190 | # | ||
| 1191 | #·····Using·xinetd: | ||
| 1192 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 1193 | # | ||
| 1194 | function·service_command·{ | ||
| 1195 | #·Load·function·arguments·into·local·variables | ||
| 1196 | local·service_state=$1 | ||
| 1197 | local·service=$2 | ||
| 1198 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 1199 | #·Check·sanity·of·the·input | ||
| 1200 | if·[·$#·-lt·"2"·] | ||
| 1201 | then | ||
| 1202 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| Max diff block lines reached; 306793/337130 bytes (91.00%) of diff not shown. | |||
| Offset 84, 56 lines modified | Offset 84, 56 lines modified | ||
| 84 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 84 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 85 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 85 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 86 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 86 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 87 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 87 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 88 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 88 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 90 | allow·cleartext·remote·access·and·have·an·insecure·trust | 90 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 91 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm360 | 91 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36033"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files |
| 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts | ||
| 93 | and·users·that·are·trusted·by·the·local·system. | ||
| 94 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | ||
| 95 | location: | ||
| 96 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the | ||
| 97 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing | ||
| 98 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive | ||
| 99 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of | ||
| 100 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 101 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 102 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80513-5">CCE-80513-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 103 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040550</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36075">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36075"><pre><code> | ||
| 104 | #·Identify·local·mounts | ||
| 105 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | ||
| 106 | #·Find·file·on·each·listed·mount·point | ||
| 107 | for·cur_mount·in·${MOUNT_LIST} | ||
| 108 | do | ||
| 109 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; | ||
| 110 | done | ||
| 111 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36112"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files | ||
| 112 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files | 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files |
| 113 | list·remote·hosts·and·users·that·are·trusted·by·the | 93 | list·remote·hosts·and·users·that·are·trusted·by·the |
| 114 | local·system.·To·remove·these·files,·run·the·following·command | 94 | local·system.·To·remove·these·files,·run·the·following·command |
| 115 | to·delete·them·from·any·location: | 95 | to·delete·them·from·any·location: |
| 116 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for | 96 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for |
| 117 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not | 97 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not |
| 118 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not | 98 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not |
| 119 | require·interactive·identification·and·authentication·of·a·connection·request, | 99 | require·interactive·identification·and·authentication·of·a·connection·request, |
| 120 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 100 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 121 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 101 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 122 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80514-3">CCE-80514-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 102 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80514-3">CCE-80514-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 123 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040540</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 103 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040540</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36044">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36044"><pre><code> |
| 124 | #·Identify·local·mounts | 104 | #·Identify·local·mounts |
| 125 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 105 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 126 | #·Find·file·on·each·listed·mount·point | 106 | #·Find·file·on·each·listed·mount·point |
| 127 | for·cur_mount·in·${MOUNT_LIST} | 107 | for·cur_mount·in·${MOUNT_LIST} |
| 128 | do | 108 | do |
| 129 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; | 109 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; |
| 130 | done | 110 | done |
| 111 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36049"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files | ||
| 112 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts | ||
| 113 | and·users·that·are·trusted·by·the·local·system. | ||
| 114 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | ||
| 115 | location: | ||
| 116 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the | ||
| 117 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing | ||
| 118 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive | ||
| 119 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of | ||
| 120 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 121 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 122 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80513-5">CCE-80513-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 123 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040550</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36060">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36060"><pre><code> | ||
| 124 | #·Identify·local·mounts | ||
| 125 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | ||
| 126 | #·Find·file·on·each·listed·mount·point | ||
| 127 | for·cur_mount·in·${MOUNT_LIST} | ||
| 128 | do | ||
| 129 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; | ||
| 130 | done | ||
| 131 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 131 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 132 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 132 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 133 | the·following·command: | 133 | the·following·command: |
| 134 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 134 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 135 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 135 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| 136 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password | 136 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password |
| 137 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure | 137 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure |
| Offset 368, 38 lines modified | Offset 368, 28 lines modified | ||
| 368 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_tftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_tftp">TFTP·Server | 368 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_tftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_tftp">TFTP·Server |
| 369 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_tftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TFTP·is·a·lightweight·version·of·the·FTP·protocol·which·has | 369 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_tftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TFTP·is·a·lightweight·version·of·the·FTP·protocol·which·has |
| 370 | traditionally·been·used·to·configure·networking·equipment.·However, | 370 | traditionally·been·used·to·configure·networking·equipment.·However, |
| 371 | TFTP·provides·little·security,·and·modern·versions·of·networking | 371 | TFTP·provides·little·security,·and·modern·versions·of·networking |
| 372 | operating·systems·frequently·support·configuration·via·SSH·or·other | 372 | operating·systems·frequently·support·configuration·via·SSH·or·other |
| 373 | more·secure·protocols.·A·TFTP·server·should·be·run·only·if·no·more | 373 | more·secure·protocols.·A·TFTP·server·should·be·run·only·if·no·more |
| 374 | secure·method·of·supporting·existing·equipment·can·be | 374 | secure·method·of·supporting·existing·equipment·can·be |
| 375 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_tftp | 375 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·id="guide-tree-leaf-idm36412"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_tftp"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed">Uninstall·tftp-server·Package |
| 376 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | ||
| 377 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | ||
| 378 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | ||
| 379 | the·following·example·(which·is·also·the·default): | ||
| 380 | <pre>server_args·=·-s·/var/lib/tftpboot</pre></p><span·class="label·label-primary">Rationale:</span><p>Using·the·<code>-s</code>·option·causes·the·TFTP·service·to·only·serve·files·from·the | ||
| 381 | given·directory.·Serving·files·from·an·intentionally-specified·directory | ||
| 382 | reduces·the·risk·of·sharing·files·which·should·remain·private.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 383 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 384 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80214-0">CCE-80214-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 385 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040720</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86929r2_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·id="guide-tree-leaf-idm36433"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_tftp"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed">Uninstall·tftp-server·Package | ||
| 386 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_tftp-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 376 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_tftp-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 387 | ············ | 377 | ············ |
| 388 | ········The·<code>tftp-server</code>·package·can·be·removed·with·the·following·command: | 378 | ········The·<code>tftp-server</code>·package·can·be·removed·with·the·following·command: |
| 389 | ········<pre>$·sudo·yum·erase·tftp-server</pre> | 379 | ········<pre>$·sudo·yum·erase·tftp-server</pre> |
| 390 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·<code>tftp-server</code>·package·decreases·the·risk·of·the | 380 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·<code>tftp-server</code>·package·decreases·the·risk·of·the |
| 391 | accidental·(or·intentional)·activation·of·tftp·services. | 381 | accidental·(or·intentional)·activation·of·tftp·services. |
| 392 | <br><br> | 382 | <br><br> |
| 393 | If·TFTP·is·required·for·operational·support·(such·as·transmission·of·router·configurations), | 383 | If·TFTP·is·required·for·operational·support·(such·as·transmission·of·router·configurations), |
| 394 | its·use·must·be·documented·with·the·Information·Systems·Securty·Manager·(ISSM),·restricted·to· | 384 | its·use·must·be·documented·with·the·Information·Systems·Securty·Manager·(ISSM),·restricted·to· |
| 395 | only·authorized·personnel,·and·have·access·control·rules·established.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 385 | only·authorized·personnel,·and·have·access·control·rules·established.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 396 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 386 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 397 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80213-2">CCE-80213-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 387 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80213-2">CCE-80213-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 398 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040700</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86925r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm364 | 388 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040700</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86925r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36433">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36433"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 399 | # | 389 | # |
| 400 | #·Example·Call(s): | 390 | #·Example·Call(s): |
| 401 | # | 391 | # |
| 402 | #·····package_remove·telnet-server | 392 | #·····package_remove·telnet-server |
| 403 | # | 393 | # |
| 404 | function·package_remove·{ | 394 | function·package_remove·{ |
| Offset 429, 15 lines modified | Offset 419, 15 lines modified | ||
| 429 | ··echo·"Aborting." | 419 | ··echo·"Aborting." |
| 430 | ··exit·1 | 420 | ··exit·1 |
| 431 | fi | 421 | fi |
| 432 | } | 422 | } |
| 433 | package_remove·tftp-server | 423 | package_remove·tftp-server |
| 434 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm364 | 424 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36435">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36435"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·tftp-server·is·removed |
| 435 | ··package: | 425 | ··package: |
| 436 | ····name="{{item}}" | 426 | ····name="{{item}}" |
| Max diff block lines reached; 957784/980794 bytes (97.65%) of diff not shown. | |||
| Offset 65, 15 lines modified | Offset 65, 15 lines modified | ||
| 65 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 65 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 66 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 66 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 67 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 67 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 68 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 68 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 69 | quality,·reliability,·or·any·other·characteristic. | 69 | quality,·reliability,·or·any·other·characteristic. |
| 70 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 70 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 71 | ····························(as·of·2018-07-26) | 71 | ····························(as·of·2018-07-26) |
| 72 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 72 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_im[·...·truncated·by·diffoscope;·len:·1051,·SHA1:·16d11bb4d21e01e6ba501025710e90c7dff143f7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 74 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 74 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 75 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 75 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 76 | ones·can·be·safely·disabled. | 76 | ones·can·be·safely·disabled. |
| 77 | <br><br> | 77 | <br><br> |
| 78 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 78 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 79 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 79 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 236, 96 lines modified | Offset 236, 14 lines modified | ||
| 236 | class·remove_httpd·{ | 236 | class·remove_httpd·{ |
| 237 | ··package·{·'httpd': | 237 | ··package·{·'httpd': |
| 238 | ····ensure·=>·'purged', | 238 | ····ensure·=>·'purged', |
| 239 | ··} | 239 | ··} |
| 240 | } | 240 | } |
| 241 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29187">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29187"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 241 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29187">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29187"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 242 | package·--remove=httpd | 242 | package·--remove=httpd |
| 243 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 244 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 245 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 246 | parameters·from·a·server. | ||
| 247 | <br><br> | ||
| 248 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 249 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 250 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 251 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 252 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 253 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 254 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 255 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 256 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29690"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 257 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 258 | the·dhcp·package·can·be·uninstalled. | ||
| 259 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 260 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 261 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 262 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 263 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29698">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29698"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 264 | # | ||
| 265 | #·Example·Call(s): | ||
| 266 | # | ||
| 267 | #·····package_remove·telnet-server | ||
| 268 | # | ||
| 269 | function·package_remove·{ | ||
| 270 | #·Load·function·arguments·into·local·variables | ||
| 271 | local·package="$1" | ||
| 272 | #·Check·sanity·of·the·input | ||
| 273 | if·[·$#·-ne·"1"·] | ||
| 274 | then | ||
| 275 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 276 | ··echo·"Aborting." | ||
| 277 | ··exit·1 | ||
| 278 | fi | ||
| 279 | if·which·dnf·;·then | ||
| 280 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 281 | ····dnf·remove·-y·"$package" | ||
| 282 | ··fi | ||
| 283 | elif·which·yum·;·then | ||
| 284 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 285 | ····yum·remove·-y·"$package" | ||
| 286 | ··fi | ||
| 287 | elif·which·apt-get·;·then | ||
| 288 | ··apt-get·remove·-y·"$package" | ||
| 289 | else | ||
| 290 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 291 | ··echo·"Aborting." | ||
| 292 | ··exit·1 | ||
| 293 | fi | ||
| 294 | } | ||
| 295 | package_remove·dhcp | ||
| 296 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29700">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29700"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 297 | ··package: | ||
| 298 | ····name="{{item}}" | ||
| 299 | ····state=absent | ||
| 300 | ··with_items: | ||
| 301 | ····-·dhcp | ||
| 302 | ··tags: | ||
| 303 | ····-·package_dhcp_removed | ||
| 304 | ····-·medium_severity | ||
| 305 | ····-·disable_strategy | ||
| 306 | ····-·low_complexity | ||
| 307 | ····-·low_disruption | ||
| 308 | ····-·CCE-27120-5 | ||
| 309 | ····-·NIST-800-53-CM-7 | ||
| 310 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29701">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29701"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 311 | class·remove_dhcp·{ | ||
| 312 | ··package·{·'dhcp': | ||
| 313 | ····ensure·=>·'purged', | ||
| 314 | ··} | ||
| 315 | } | ||
| 316 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29702">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29702"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 317 | package·--remove=dhcp | ||
| 318 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | 243 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 319 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 244 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 320 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 245 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 321 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 246 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 322 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 247 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 323 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 248 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 324 | outside·world. | 249 | outside·world. |
| Offset 345, 15 lines modified | Offset 263, 15 lines modified | ||
| 345 | <br><br> | 263 | <br><br> |
| 346 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 264 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 347 | servers,·and·the·remainder·obtaining·time·information·from·those | 265 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 348 | internal·servers. | 266 | internal·servers. |
| 349 | <br><br> | 267 | <br><br> |
| 350 | More·information·on·how·to·configure·the·NTP·server·software, | 268 | More·information·on·how·to·configure·the·NTP·server·software, |
| 351 | including·configuration·of·cryptographic·authentication·for | 269 | including·configuration·of·cryptographic·authentication·for |
| 352 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 270 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29623"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 353 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 271 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 354 | ·········· | 272 | ·········· |
| 355 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 273 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 356 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 274 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 357 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 275 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 358 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 276 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| Max diff block lines reached; 1633865/1653436 bytes (98.82%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_im[·...·truncated·by·diffoscope;·len:·1051,·SHA1:·16d11bb4d21e01e6ba501025710e90c7dff143f7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 77, 29 lines modified | Offset 77, 29 lines modified | ||
| 77 | <br><br> | 77 | <br><br> |
| 78 | However,·there·are·some·FTP·server·configurations·which·may | 78 | However,·there·are·some·FTP·server·configurations·which·may |
| 79 | be·appropriate·for·some·environments,·particularly·those·which | 79 | be·appropriate·for·some·environments,·particularly·those·which |
| 80 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | 80 | allow·only·read-only·anonymous·access·as·a·means·of·downloading |
| 81 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | 81 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 83 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | 83 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or |
| 84 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_ | 84 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users |
| 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 86 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 87 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 88 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 89 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29066"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | 90 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> |
| 86 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | 91 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: |
| 87 | <pre>xferlog_enable=YES | 92 | <pre>xferlog_enable=YES |
| 88 | xferlog_std_format=NO | 93 | xferlog_std_format=NO |
| 89 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | 94 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to |
| 90 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | 95 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log |
| 91 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 96 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 92 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 97 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 93 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_r | 98 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 94 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 95 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 96 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 97 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 98 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | ||
| 99 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all | 99 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 100 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29100"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | 100 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29100"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service |
| 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 102 | ············ | 102 | ············ |
| 103 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: | 103 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 104 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> | 104 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 105 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue | 105 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| Offset 528, 19 lines modified | Offset 528, 18 lines modified | ||
| 528 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_cgi_support">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>cgi</code>·module·allows·HTML·to·interact·with·the·CGI·web·programming·language. | 528 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_cgi_support">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>cgi</code>·module·allows·HTML·to·interact·with·the·CGI·web·programming·language. |
| 529 | <br><br> | 529 | <br><br> |
| 530 | If·this·functionality·is·unnecessary,·comment·out·the·module: | 530 | If·this·functionality·is·unnecessary,·comment·out·the·module: |
| 531 | <pre>#LoadModule·cgi_module·modules/mod_cgi.so</pre> | 531 | <pre>#LoadModule·cgi_module·modules/mod_cgi.so</pre> |
| 532 | If·the·web·server·requires·the·use·of·CGI,·enable·<code>mod_cgi</code>.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 532 | If·the·web·server·requires·the·use·of·CGI,·enable·<code>mod_cgi</code>.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 533 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 533 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 534 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_ | 534 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_digest_authentication"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_digest_authentication"·id="guide-tree-leaf-idm29444"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_digest_authentication">Disable·HTTP·Digest·Authentication |
| 535 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_ | 535 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_digest_authentication">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>auth_digest</code>·module·provides·encrypted·authentication·sessions. |
| 536 | 536 | If·this·functionality·is·unnecessary,·comment·out·the·related·module: | |
| 537 | <pre>#LoadModule· | 537 | <pre>#LoadModule·auth_digest_module·modules/mod_auth_digest.so</pre></p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 538 | This·functionality·weakens·server·security·by·making·site·enumeration·easier.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | ||
| 539 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 538 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 540 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_server_activity_status"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_server_activity_status"·id="guide-tree-leaf-idm29450"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_server_activity_status">Disable·Server·Activity·Status | 539 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_server_activity_status"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_server_activity_status"·id="guide-tree-leaf-idm29450"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_server_activity_status">Disable·Server·Activity·Status |
| 541 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_server_activity_status">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>status</code>·module·provides·real-time·access·to·statistics·on·the·internal·operation·of | 540 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_server_activity_status">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>status</code>·module·provides·real-time·access·to·statistics·on·the·internal·operation·of |
| 542 | the·web·server.·This·may·constitute·an·unnecessary·information·leak·and·should·be·disabled | 541 | the·web·server.·This·may·constitute·an·unnecessary·information·leak·and·should·be·disabled |
| 543 | unless·necessary.·To·do·so,·comment·out·the·related·module: | 542 | unless·necessary.·To·do·so,·comment·out·the·related·module: |
| 544 | <pre>#LoadModule·status_module·modules/mod_status.so</pre> | 543 | <pre>#LoadModule·status_module·modules/mod_status.so</pre> |
| 545 | If·there·is·a·critical·need·for·this·module,·ensure·that·access·to·the·status | 544 | If·there·is·a·critical·need·for·this·module,·ensure·that·access·to·the·status |
| Offset 551, 18 lines modified | Offset 550, 19 lines modified | ||
| 551 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_server_configuration_display">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>info</code>·module·creates·a·web·page·illustrating·the·configuration·of·the·web·server.·This | 550 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_server_configuration_display">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>info</code>·module·creates·a·web·page·illustrating·the·configuration·of·the·web·server.·This |
| 552 | can·create·an·unnecessary·security·leak·and·should·be·disabled. | 551 | can·create·an·unnecessary·security·leak·and·should·be·disabled. |
| 553 | If·its·functionality·is·unnecessary,·comment·out·the·module: | 552 | If·its·functionality·is·unnecessary,·comment·out·the·module: |
| 554 | <pre>#LoadModule·info_module·modules/mod_info.so</pre> | 553 | <pre>#LoadModule·info_module·modules/mod_info.so</pre> |
| 555 | If·there·is·a·critical·need·for·this·module,·use·the·<code>Location</code>·directive·to·provide | 554 | If·there·is·a·critical·need·for·this·module,·use·the·<code>Location</code>·directive·to·provide |
| 556 | an·access·control·list·to·restrict·access·to·the·information.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 555 | an·access·control·list·to·restrict·access·to·the·information.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 557 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 556 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 558 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_ | 557 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_url_correction"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_url_correction"·id="guide-tree-leaf-idm29463"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_url_correction">Disable·URL·Correction·on·Misspelled·Entries |
| 559 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_ | 558 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_url_correction">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>speling</code>·module·attempts·to·find·a·document·match·by·allowing·one·misspelling·in·an |
| 560 | If·this·functionality·is·unnecessary,·comment·out·th | 559 | otherwise·failed·request.·If·this·functionality·is·unnecessary,·comment·out·the·module: |
| 561 | <pre>#LoadModule· | 560 | <pre>#LoadModule·speling_module·modules/mod_speling.so</pre> |
| 561 | This·functionality·weakens·server·security·by·making·site·enumeration·easier.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | ||
| 562 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 562 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 563 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_mime_magic"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_mime_magic"·id="guide-tree-leaf-idm29469"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_mime_magic">Disable·MIME·Magic | 563 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_mime_magic"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_mime_magic"·id="guide-tree-leaf-idm29469"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_mime_magic">Disable·MIME·Magic |
| 564 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_mime_magic">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>mime_magic</code>·module·provides·a·second·layer·of·MIME·support·that·in·most·configurations | 564 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_mime_magic">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>mime_magic</code>·module·provides·a·second·layer·of·MIME·support·that·in·most·configurations |
| 565 | is·likely·extraneous.·If·its·functionality·is·unnecessary,·comment·out·the·related·module: | 565 | is·likely·extraneous.·If·its·functionality·is·unnecessary,·comment·out·the·related·module: |
| 566 | <pre>#LoadModule·mime_magic_module·modules/mod_mime_magic.so</pre></p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 566 | <pre>#LoadModule·mime_magic_module·modules/mod_mime_magic.so</pre></p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 567 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 567 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 568 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_webdav"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_webdav"·id="guide-tree-leaf-idm29475"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_webdav">Disable·WebDAV·(Distributed·Authoring·and·Versioning) | 568 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_webdav"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_webdav"·id="guide-tree-leaf-idm29475"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_webdav">Disable·WebDAV·(Distributed·Authoring·and·Versioning) |
| Offset 609, 105 lines modified | Offset 609, 15 lines modified | ||
| 609 | If·proxy·support·is·needed,·load·<code>mod_proxy</code>·and·the·appropriate·proxy·protocol·handler | 609 | If·proxy·support·is·needed,·load·<code>mod_proxy</code>·and·the·appropriate·proxy·protocol·handler |
| 610 | module·(one·of·<code>mod_proxy_http</code>,·<code>mod_proxy_ftp</code>,·or·<code>mod_proxy_connect</code>).·Additionally, | 610 | module·(one·of·<code>mod_proxy_http</code>,·<code>mod_proxy_ftp</code>,·or·<code>mod_proxy_connect</code>).·Additionally, |
| 611 | make·certain·that·a·server·is·secure·before·enabling·proxying,·as·open·proxy·servers | 611 | make·certain·that·a·server·is·secure·before·enabling·proxying,·as·open·proxy·servers |
| 612 | are·a·security·risk.·<code>mod_proxy_balancer</code>·enables·load·balancing,·but·requires·that | 612 | are·a·security·risk.·<code>mod_proxy_balancer</code>·enables·load·balancing,·but·requires·that |
| 613 | <code>mod·status</code>·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 613 | <code>mod·status</code>·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 614 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 614 | by·limiting·the·capabilities·allowed·by·the·web·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 615 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 615 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 616 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 617 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 618 | parameters·from·a·server. | ||
| 619 | <br><br> | ||
| 620 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 621 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 622 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 623 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 624 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 625 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 626 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 627 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 628 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29620"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 629 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 630 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 631 | following·changes: | ||
| 632 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 633 | <pre>BOOTPROTO=none</pre> | ||
| 634 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 635 | values·based·on·your·site's·addressing·scheme: | ||
| 636 | <pre>NETMASK=255.255.255.0 | ||
| 637 | IPADDR=192.168.1.2 | ||
| 638 | GATEWAY=192.168.1.1</pre> | ||
| 639 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 640 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 641 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 642 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 643 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| Max diff block lines reached; 2448350/2491704 bytes (98.26%) of diff not shown. | |||
| Offset 61, 15 lines modified | Offset 61, 15 lines modified | ||
| 61 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 61 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 62 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 62 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 63 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 63 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 64 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 64 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 65 | quality,·reliability,·or·any·other·characteristic. | 65 | quality,·reliability,·or·any·other·characteristic. |
| 66 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 66 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 67 | ····························(as·of·2018-07-26) | 67 | ····························(as·of·2018-07-26) |
| 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.conte[·...·truncated·by·diffoscope;·len:·622,·SHA1:·5fdea4aa41595454218b51257d3604d966d4890a·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 72 | ones·can·be·safely·disabled. | 72 | ones·can·be·safely·disabled. |
| 73 | <br><br> | 73 | <br><br> |
| 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 321, 255 lines modified | Offset 321, 15 lines modified | ||
| 321 | ····-·NIST-800-53-CM-7 | 321 | ····-·NIST-800-53-CM-7 |
| 322 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29271"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory | 322 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29271"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory |
| 323 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: | 323 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: |
| 324 | <pre>$·sudo·chmod·700·/var/log/httpd/</pre> | 324 | <pre>$·sudo·chmod·700·/var/log/httpd/</pre> |
| 325 | This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker | 325 | This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker |
| 326 | to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 326 | to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 327 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 327 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 328 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 328 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 329 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 330 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 331 | parameters·from·a·server. | ||
| 332 | <br><br> | ||
| 333 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 334 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 335 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 336 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 337 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 338 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 339 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 340 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 341 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29620"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 342 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 343 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 344 | following·changes: | ||
| 345 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 346 | <pre>BOOTPROTO=none</pre> | ||
| 347 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 348 | values·based·on·your·site's·addressing·scheme: | ||
| 349 | <pre>NETMASK=255.255.255.0 | ||
| 350 | IPADDR=192.168.1.2 | ||
| 351 | GATEWAY=192.168.1.1</pre> | ||
| 352 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 353 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 354 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 355 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 356 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 357 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dhcp_server_configuration">Disable·DHCP·Server | ||
| 358 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp_server_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·must·act·as·a·DHCP·server,·the·configuration | ||
| 359 | information·it·serves·should·be·minimized.·Also,·support·for·other·protocols | ||
| 360 | and·DNS-updating·schemes·should·be·explicitly·disabled·unless·needed.·The | ||
| 361 | configuration·file·for·dhcpd·is·called·<code>/etc/dhcp/dhcpd.conf</code>.·The·file | ||
| 362 | begins·with·a·number·of·global·configuration·options.·The·remainder·of·the·file | ||
| 363 | is·divided·into·sections,·one·for·each·block·of·addresses·offered·by·dhcpd, | ||
| 364 | each·of·which·contains·configuration·options·specific·to·that·address | ||
| 365 | block.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline"·id="guide-tree-leaf-idm29643"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline">Deny·Decline·Messages | ||
| 366 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·<code>/etc/dhcp/dhcpd.conf</code>·and·add·or·correct·the·following | ||
| 367 | global·option·to·prevent·the·DHCP·server·from·responding·the·DHCPDECLINE | ||
| 368 | messages,·if·possible:·<pre>deny·declines;</pre></p><span·class="label·label-primary">Rationale:</span><p>The·DHCPDECLINE·message·can·be·sent·by·a·DHCP·client·to·indicate | ||
| 369 | that·it·does·not·consider·the·lease·offered·by·the·server·to·be·valid.·By | ||
| 370 | issuing·many·DHCPDECLINE·messages,·a·malicious·client·can·exhaust·the·DHCP | ||
| 371 | server's·pool·of·IP·addresses,·causing·the·DHCP·server·to·forget·old·address | ||
| 372 | allocations.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 373 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 374 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns"·id="guide-tree-leaf-idm29652"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns">Do·Not·Use·Dynamic·DNS | ||
| 375 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·prevent·the·DHCP·server·from·receiving·DNS·information·from | ||
| 376 | clients,·edit·<code>/etc/dhcp/dhcpd.conf</code>,·and·add·or·correct·the·following·global | ||
| 377 | option:·<pre>ddns-update-style·none;</pre></p><span·class="label·label-primary">Rationale:</span><p>The·Dynamic·DNS·protocol·is·used·to·remotely·update·the·data·served | ||
| 378 | by·a·DNS·server.·DHCP·servers·can·use·Dynamic·DNS·to·publish·information·about | ||
| 379 | their·clients.·This·setup·carries·security·risks,·and·its·use·is·not | ||
| 380 | recommended.··If·Dynamic·DNS·must·be·used·despite·the·risks·it·poses,·it·is | ||
| 381 | critical·that·Dynamic·DNS·transactions·be·protected·using·TSIG·or·some·other | ||
| 382 | cryptographic·authentication·mechanism.·See·dhcpd.conf(5)·for·more·information | ||
| 383 | about·protecting·the·DHCP·server·from·passing·along·malicious·DNS·data·from·its | ||
| 384 | clients.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 385 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 386 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp"·id="guide-tree-leaf-idm29669"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp">Deny·BOOTP·Queries | ||
| 387 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unless·your·network·needs·to·support·older·BOOTP·clients,·disable | ||
| 388 | support·for·the·bootp·protocol·by·adding·or·correcting·the·global·option: | ||
| 389 | <pre>deny·bootp;</pre></p><span·class="label·label-primary">Rationale:</span><p>The·bootp·option·tells·dhcpd·to·respond·to·BOOTP·queries.·If·support | ||
| 390 | for·this·simpler·protocol·is·not·needed,·it·should·be·disabled·to·remove·attack | ||
| 391 | vectors·against·the·DHCP·server.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 392 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 393 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 394 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 395 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 396 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 397 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29690"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 398 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 399 | the·dhcp·package·can·be·uninstalled. | ||
| 400 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 401 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 402 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 403 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 404 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29698">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29698"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 405 | # | ||
| 406 | #·Example·Call(s): | ||
| 407 | # | ||
| 408 | #·····package_remove·telnet-server | ||
| 409 | # | ||
| 410 | function·package_remove·{ | ||
| 411 | #·Load·function·arguments·into·local·variables | ||
| 412 | local·package="$1" | ||
| 413 | #·Check·sanity·of·the·input | ||
| 414 | if·[·$#·-ne·"1"·] | ||
| 415 | then | ||
| 416 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 417 | ··echo·"Aborting." | ||
| 418 | ··exit·1 | ||
| 419 | fi | ||
| 420 | if·which·dnf·;·then | ||
| 421 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 422 | ····dnf·remove·-y·"$package" | ||
| 423 | ··fi | ||
| 424 | elif·which·yum·;·then | ||
| 425 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 426 | ····yum·remove·-y·"$package" | ||
| 427 | ··fi | ||
| Max diff block lines reached; 1728532/1760624 bytes (98.18%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_im[·...·truncated·by·diffoscope;·len:·1152,·SHA1:·dd5cc62f3a273462962f45a6acbfc2a35644bcb6·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| Offset 315, 45 lines modified | Offset 315, 15 lines modified | ||
| 315 | to·different·identity·and·authentication·providers·such·as·Red·Hat's·IdM,·Microsoft's·AD, | 315 | to·different·identity·and·authentication·providers·such·as·Red·Hat's·IdM,·Microsoft's·AD, |
| 316 | openLDAP,·MIT·Kerberos,·etc.·It·uses·a·common·framework·that·can·provide·caching·and·offline | 316 | openLDAP,·MIT·Kerberos,·etc.·It·uses·a·common·framework·that·can·provide·caching·and·offline |
| 317 | support·to·systems·utilizing·SSSD.·SSSD·using·caching·to·reduce·load·on·authentication | 317 | support·to·systems·utilizing·SSSD.·SSSD·using·caching·to·reduce·load·on·authentication |
| 318 | servers·permit·offline·authentication·as·well·as·store·extended·user·data. | 318 | servers·permit·offline·authentication·as·well·as·store·extended·user·data. |
| 319 | <br><br> | 319 | <br><br> |
| 320 | For·more·information,·see | 320 | For·more·information,·see |
| 321 | <b><a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html</a></b> | 321 | <b><a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html</a></b> |
| 322 | </p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sssd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 322 | </p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sssd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 323 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 324 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 325 | parameters·from·a·server. | ||
| 326 | <br><br> | ||
| 327 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 328 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 329 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 330 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 331 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 332 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 333 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 334 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 335 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dhcp_server_configuration">Disable·DHCP·Server | ||
| 336 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp_server_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·must·act·as·a·DHCP·server,·the·configuration | ||
| 337 | information·it·serves·should·be·minimized.·Also,·support·for·other·protocols | ||
| 338 | and·DNS-updating·schemes·should·be·explicitly·disabled·unless·needed.·The | ||
| 339 | configuration·file·for·dhcpd·is·called·<code>/etc/dhcp/dhcpd.conf</code>.·The·file | ||
| 340 | begins·with·a·number·of·global·configuration·options.·The·remainder·of·the·file | ||
| 341 | is·divided·into·sections,·one·for·each·block·of·addresses·offered·by·dhcpd, | ||
| 342 | each·of·which·contains·configuration·options·specific·to·that·address | ||
| 343 | block.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 344 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 345 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 346 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 347 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp_client_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_client_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dhcp_client_configuration">Configure·DHCP·Client·if·Necessary | ||
| 348 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp_client_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·DHCP·must·be·used,·then·certain·configuration·changes·can | ||
| 349 | minimize·the·amount·of·information·it·receives·and·applies·from·the·network, | ||
| 350 | and·thus·the·amount·of·incorrect·information·a·rogue·DHCP·server·could | ||
| 351 | successfully·distribute.··For·more·information·on·configuring·dhclient,·see·the | ||
| 352 | <code>dhclient(8)</code>·and·<code>dhclient.conf(5)</code>·man·pages.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 353 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 323 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 354 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 324 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 355 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 325 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 356 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 326 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 357 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 327 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 358 | outside·world. | 328 | outside·world. |
| 359 | <br><br> | 329 | <br><br> |
| Offset 401, 42 lines modified | Offset 371, 15 lines modified | ||
| 401 | installation.·The·multiple·security·models·implemented·by·SNMP·cannot·be·fully | 371 | installation.·The·multiple·security·models·implemented·by·SNMP·cannot·be·fully |
| 402 | covered·here·so·only·the·following·general·configuration·advice·can·be·offered: | 372 | covered·here·so·only·the·following·general·configuration·advice·can·be·offered: |
| 403 | <ul><li>use·only·SNMP·version·3·security·models·and·enable·the·use·of·authentication·and·encryption</li><li>write·access·to·the·MIB·(Management·Information·Base)·should·be·allowed·only·if·necessary</li><li>all·access·to·the·MIB·should·be·restricted·following·a·principle·of·least·privilege</li><li>network·access·should·be·limited·to·the·maximum·extent·possible·including·restricting·to·expected·network | 373 | <ul><li>use·only·SNMP·version·3·security·models·and·enable·the·use·of·authentication·and·encryption</li><li>write·access·to·the·MIB·(Management·Information·Base)·should·be·allowed·only·if·necessary</li><li>all·access·to·the·MIB·should·be·restricted·following·a·principle·of·least·privilege</li><li>network·access·should·be·limited·to·the·maximum·extent·possible·including·restricting·to·expected·network |
| 404 | addresses·both·in·the·configuration·files·and·in·the·system·firewall·rules</li><li>ensure·SNMP·agents·send·traps·only·to,·and·accept·SNMP·queries·only·from,·authorized·management | 374 | addresses·both·in·the·configuration·files·and·in·the·system·firewall·rules</li><li>ensure·SNMP·agents·send·traps·only·to,·and·accept·SNMP·queries·only·from,·authorized·management |
| 405 | stations</li><li>ensure·that·permissions·on·the·<code>snmpd.conf</code>·configuration·file·(by·default,·in·<code>/etc/snmp</code>)·are·640·or·more·restrictive</li><li>ensure·that·any·MIB·files'·permissions·are·also·640·or·more·restrictive</li></ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_snmp_configure_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_snmp_service"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_snmp_service">Disable·SNMP·Server·if·Possible | 375 | stations</li><li>ensure·that·permissions·on·the·<code>snmpd.conf</code>·configuration·file·(by·default,·in·<code>/etc/snmp</code>)·are·640·or·more·restrictive</li><li>ensure·that·any·MIB·files'·permissions·are·also·640·or·more·restrictive</li></ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_snmp_configure_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_snmp_service"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_snmp_service">Disable·SNMP·Server·if·Possible |
| 406 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_snmp_service">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·system·includes·an·SNMP·daemon·that·allows·for·its·remote | 376 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_snmp_service">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·system·includes·an·SNMP·daemon·that·allows·for·its·remote |
| 407 | monitoring,·though·it·not·installed·by·default.·If·it·was·installed·and | 377 | monitoring,·though·it·not·installed·by·default.·If·it·was·installed·and |
| 408 | activated·but·is·not·needed,·the·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 378 | activated·but·is·not·needed,·the·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_snmp_service"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 409 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 410 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 411 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 412 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 413 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_restrict_at_cron_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_restrict_at_cron_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_restrict_at_cron_users">Restrict·at·and·cron·to·Authorized·Users·if·Necessary | ||
| 414 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_restrict_at_cron_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>/etc/cron.allow</code>·and·<code>/etc/at.allow</code>·files·contain·lists·of·users·who·are·allowed | ||
| 415 | to·use·cron·and·at·to·delay·execution·of·processes.·If·these·files·exist·and | ||
| 416 | if·the·corresponding·files·<code>/etc/cron.deny</code>·and·<code>/etc/at.deny</code>·do·not·exist, | ||
| 417 | then·only·users·listed·in·the·relevant·allow·files·can·run·the·crontab·and·at | ||
| 418 | commands·to·submit·jobs·to·be·run·at·scheduled·intervals. | ||
| 419 | On·many·systems,·only·the·system·administrator·needs·the·ability·to·schedule | ||
| 420 | jobs.·Note·that·even·if·a·given·user·is·not·listed·in·<code>cron.allow</code>,·cron·jobs·can | ||
| 421 | still·be·run·as·that·user.·The·<code>cron.allow</code>·file·controls·only·administrative·access | ||
| 422 | to·the·crontab·command·for·scheduling·and·modifying·cron·jobs. | ||
| 423 | <br> | ||
| 424 | <br> | ||
| 425 | To·restrict·at·and·cron·to·only·authorized·users: | ||
| 426 | <ul><li>Remove·the·cron.deny·file:<pre>$·sudo·rm·/etc/cron.deny</pre></li><li>Edit·<code>/etc/cron.allow</code>,·adding·one·line·for·each·user·allowed·to·use·the·crontab·command·to·create·cron·jobs.</li><li>Remove·the·<code>at.deny</code>·file:<pre>$·sudo·rm·/etc/at.deny</pre></li><li>Edit·<code>/etc/at.allow</code>,·adding·one·line·for·each·user·allowed·to·use·the·at·command·to·create·at·jobs.</li></ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_restrict_at_cron_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_xwindows"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_xwindows">X·Window·System | ||
| 427 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_xwindows">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·X·Window·System·implementation·included·with·the | ||
| 428 | system·is·called·X.org.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_xwindows"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_xwindows"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_xwindows">Disable·X·Windows | ||
| 429 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_xwindows">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Unless·there·is·a·mission-critical·reason·for·the | ||
| 430 | system·to·run·a·graphical·user·interface,·ensure·X·is·not·set·to·start | ||
| 431 | automatically·at·boot·and·remove·the·X·Windows·software·packages. | ||
| 432 | There·is·usually·no·reason·to·run·X·Windows | ||
| 433 | on·a·dedicated·server·system,·as·it·increases·the·system's·attack·surface·and·consumes | ||
| 434 | system·resources.·Administrators·of·server·systems·should·instead·login·via | ||
| 435 | SSH·or·on·the·text·console.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_xwindows"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_xwindows"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services | ||
| 436 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible | 379 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible |
| 437 | services·which·have·historically·caused·problems·for·system | 380 | services·which·have·historically·caused·problems·for·system |
| 438 | security,·and·for·which·disabling·or·severely·limiting·the·service | 381 | security,·and·for·which·disabling·or·severely·limiting·the·service |
| 439 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of | 382 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of |
| 440 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·6 | 383 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·6 |
| 441 | by·default. | 384 | by·default. |
| 442 | <br><br> | 385 | <br><br> |
| Offset 470, 138 lines modified | Offset 413, 128 lines modified | ||
| 470 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 413 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 471 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 414 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 472 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 415 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 473 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 416 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 474 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 417 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 475 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·6.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services | 418 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·6.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services |
| 476 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages | 419 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages |
| 477 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 420 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ldap">LDAP |
| 478 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 421 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>LDAP·is·a·popular·directory·service,·that·is,·a |
| 479 | 422 | standardized·way·of·looking·up·information·from·a·central·database. | |
| 480 | 423 | Red·Hat·Enterprise·Linux·6·includes·software·that·enables·a·system·to·act·as·both | |
| 481 | and·then·detail | 424 | an·LDAP·client·and·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openldap_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openldap_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ldap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_openldap_server">Configure·OpenLDAP·Server |
| 482 | 425 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openldap_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·details·some·security-relevant·settings | |
| 483 | 426 | for·an·OpenLDAP·server.··Installation·and·configuration·of·OpenLDAP·on·Red·Hat·Enterprise·Linux·6·is·available·at: | |
| 484 | 427 | <a·href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openldap_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ldap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openldap_server"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files">Install·and·Protect·LDAP·Certificate·Files | |
| 485 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 428 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Create·the·PKI·directory·for·LDAP·certificates·if·it·does·not·already·exist: |
| 486 | 429 | <pre>$·sudo·mkdir·/etc/pki/tls/ldap | |
| 487 | 430 | $·sudo·chown·root:root·/etc/pki/tls/ldap | |
| 488 | 431 | $·sudo·chmod·755·/etc/pki/tls/ldap</pre> | |
| 489 | 432 | Using·removable·media·or·some·other·secure·transmission·format,·install·the·certificate·files | |
| 490 | 433 | onto·the·LDAP·server: | |
| 491 | 434 | <ul><li><code>/etc/pki/tls/ldap/serverkey.pem</code>:·the·private·key·<code>ldapserverkey.pem</code></li><li><code>/etc/pki/tls/ldap/servercert.pem</code>:·the·certificate·file·<code>ldapservercert.pem</code></li></ul> | |
| Max diff block lines reached; 167027/225942 bytes (73.92%) of diff not shown. | |||
| Offset 57, 15 lines modified | Offset 57, 15 lines modified | ||
| 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·887,·SHA1:·65d32b80d8d9fc9390e2f6a61646977453fe2c7d·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 432, 198 lines modified | Offset 432, 14 lines modified | ||
| 432 | class·remove_httpd·{ | 432 | class·remove_httpd·{ |
| 433 | ··package·{·'httpd': | 433 | ··package·{·'httpd': |
| 434 | ····ensure·=>·'purged', | 434 | ····ensure·=>·'purged', |
| 435 | ··} | 435 | ··} |
| 436 | } | 436 | } |
| 437 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29187">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29187"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 437 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29187">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29187"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 438 | package·--remove=httpd | 438 | package·--remove=httpd |
| 439 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 440 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 441 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 442 | parameters·from·a·server. | ||
| 443 | <br><br> | ||
| 444 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 445 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 446 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 447 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 448 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 449 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 450 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 451 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 452 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29690"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 453 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 454 | the·dhcp·package·can·be·uninstalled. | ||
| 455 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 456 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 457 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 458 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 459 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29698">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29698"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 460 | # | ||
| 461 | #·Example·Call(s): | ||
| 462 | # | ||
| 463 | #·····package_remove·telnet-server | ||
| 464 | # | ||
| 465 | function·package_remove·{ | ||
| 466 | #·Load·function·arguments·into·local·variables | ||
| 467 | local·package="$1" | ||
| 468 | #·Check·sanity·of·the·input | ||
| 469 | if·[·$#·-ne·"1"·] | ||
| 470 | then | ||
| 471 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 472 | ··echo·"Aborting." | ||
| 473 | ··exit·1 | ||
| 474 | fi | ||
| 475 | if·which·dnf·;·then | ||
| 476 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 477 | ····dnf·remove·-y·"$package" | ||
| 478 | ··fi | ||
| 479 | elif·which·yum·;·then | ||
| 480 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 481 | ····yum·remove·-y·"$package" | ||
| 482 | ··fi | ||
| 483 | elif·which·apt-get·;·then | ||
| 484 | ··apt-get·remove·-y·"$package" | ||
| 485 | else | ||
| 486 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 487 | ··echo·"Aborting." | ||
| 488 | ··exit·1 | ||
| 489 | fi | ||
| 490 | } | ||
| 491 | package_remove·dhcp | ||
| 492 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29700">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29700"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 493 | ··package: | ||
| 494 | ····name="{{item}}" | ||
| 495 | ····state=absent | ||
| 496 | ··with_items: | ||
| 497 | ····-·dhcp | ||
| 498 | ··tags: | ||
| 499 | ····-·package_dhcp_removed | ||
| 500 | ····-·medium_severity | ||
| 501 | ····-·disable_strategy | ||
| 502 | ····-·low_complexity | ||
| 503 | ····-·low_disruption | ||
| 504 | ····-·CCE-27120-5 | ||
| 505 | ····-·NIST-800-53-CM-7 | ||
| 506 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29701">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29701"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 507 | class·remove_dhcp·{ | ||
| 508 | ··package·{·'dhcp': | ||
| 509 | ····ensure·=>·'purged', | ||
| 510 | ··} | ||
| 511 | } | ||
| 512 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29702">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29702"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 513 | package·--remove=dhcp | ||
| 514 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·id="guide-tree-leaf-idm29707"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">Disable·DHCP·Service | ||
| 515 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>dhcpd</code>·service·should·be·disabled·on | ||
| 516 | any·system·that·does·not·need·to·act·as·a·DHCP·server. | ||
| 517 | ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: | ||
| 518 | ········<pre>$·sudo·chkconfig·dhcpd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>Unmanaged·or·unintentionally·activated·DHCP·servers·may·provide·faulty·information | ||
| 519 | to·clients,·interfering·with·the·operation·of·a·legitimate·site | ||
| 520 | DHCP·server·if·there·is·one.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 521 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 522 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29716">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29716"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 523 | # | ||
| 524 | #·Example·Call(s): | ||
| 525 | # | ||
| 526 | #·····service_command·enable·bluetooth | ||
| 527 | #·····service_command·disable·bluetooth.service | ||
| 528 | # | ||
| 529 | #·····Using·xinetd: | ||
| 530 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 531 | # | ||
| 532 | function·service_command·{ | ||
| 533 | #·Load·function·arguments·into·local·variables | ||
| Max diff block lines reached; 1793881/1815455 bytes (98.81%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·81,·SHA1:·41be5defbc9b88735c60d3c6378434afc19f29f2·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 91, 15 lines modified | Offset 91, 15 lines modified | ||
| 91 | <br><br> | 91 | <br><br> |
| 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 93 | servers,·and·the·remainder·obtaining·time·information·from·those | 93 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 94 | internal·servers. | 94 | internal·servers. |
| 95 | <br><br> | 95 | <br><br> |
| 96 | More·information·on·how·to·configure·the·NTP·server·software, | 96 | More·information·on·how·to·configure·the·NTP·server·software, |
| 97 | including·configuration·of·cryptographic·authentication·for | 97 | including·configuration·of·cryptographic·authentication·for |
| 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29623"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 100 | ·········· | 100 | ·········· |
| 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 108, 15 lines modified | Offset 108, 15 lines modified | ||
| 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 109 | logs·and·auditing·possible·security·breaches.·· | 109 | logs·and·auditing·possible·security·breaches.·· |
| 110 | <br><br> | 110 | <br><br> |
| 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 112 | deprecated.··Additional·information·on·this·is·available·at· | 112 | deprecated.··Additional·information·on·this·is·available·at· |
| 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29640">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29640"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 116 | # | 116 | # |
| 117 | #·Example·Call(s): | 117 | #·Example·Call(s): |
| 118 | # | 118 | # |
| 119 | #·····service_command·enable·bluetooth | 119 | #·····service_command·enable·bluetooth |
| 120 | #·····service_command·disable·bluetooth.service | 120 | #·····service_command·disable·bluetooth.service |
| 121 | # | 121 | # |
| 122 | #·····Using·xinetd: | 122 | #·····Using·xinetd: |
| Offset 184, 15 lines modified | Offset 184, 15 lines modified | ||
| 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 185 | ··fi | 185 | ··fi |
| 186 | fi | 186 | fi |
| 187 | } | 187 | } |
| 188 | service_command·enable·ntpd | 188 | service_command·enable·ntpd |
| 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29642">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29642"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 190 | ··service: | 190 | ··service: |
| 191 | ····name="{{item}}" | 191 | ····name="{{item}}" |
| 192 | ····enabled="yes" | 192 | ····enabled="yes" |
| 193 | ····state="started" | 193 | ····state="started" |
| 194 | ··with_items: | 194 | ··with_items: |
| 195 | ····-·ntpd | 195 | ····-·ntpd |
| 196 | ··tags: | 196 | ··tags: |
| Offset 201, 248 lines modified | Offset 201, 35 lines modified | ||
| 201 | ····-·enable_strategy | 201 | ····-·enable_strategy |
| 202 | ····-·low_complexity | 202 | ····-·low_complexity |
| 203 | ····-·low_disruption | 203 | ····-·low_disruption |
| 204 | ····-·CCE-27093-4 | 204 | ····-·CCE-27093-4 |
| 205 | ····-·NIST-800-53-AU-8(1) | 205 | ····-·NIST-800-53-AU-8(1) |
| 206 | ····-·PCI-DSS-Req-10.4 | 206 | ····-·PCI-DSS-Req-10.4 |
| 207 | ····-·DISA-STIG-RHEL-06-000247 | 207 | ····-·DISA-STIG-RHEL-06-000247 |
| 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_ | 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29647"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | ||
| 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | ||
| 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | ||
| 212 | <em>ntpserver</em>: | ||
| 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | ||
| 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | ||
| 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | ||
| 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29792"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server | ||
| 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 210 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 211 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 222 | <pre>server·<i>ntpserver</i></pre> | 212 | <pre>server·<i>ntpserver</i></pre> |
| 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 213 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 214 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 215 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 226 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 216 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 227 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 217 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 228 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_ | 218 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29665"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 229 | ···················· | 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization |
| 230 | 220 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | |
| 231 | 221 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | |
| 232 | 222 | <em>ntpserver</em>: | |
| 233 | 223 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | |
| 234 | 224 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | |
| 235 | 225 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | |
| 236 | 226 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 237 | ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command: | ||
| 238 | ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks, | ||
| 239 | enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 240 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 241 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29977">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29977"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 242 | # | ||
| 243 | #·Example·Call(s): | ||
| 244 | # | ||
| 245 | #·····service_command·enable·bluetooth | ||
| 246 | #·····service_command·disable·bluetooth.service | ||
| 247 | # | ||
| 248 | #·····Using·xinetd: | ||
| 249 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 250 | # | ||
| 251 | function·service_command·{ | ||
| 252 | #·Load·function·arguments·into·local·variables | ||
| 253 | local·service_state=$1 | ||
| 254 | local·service=$2 | ||
| 255 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 256 | #·Check·sanity·of·the·input | ||
| 257 | if·[·$#·-lt·"2"·] | ||
| 258 | then | ||
| 259 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 260 | ··echo | ||
| Max diff block lines reached; 1906633/1934224 bytes (98.57%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><[·...·truncated·by·diffoscope;·len:·661,·SHA1:·0654191da42b7edd25844a8803051c26453d234e·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 87, 41 lines modified | Offset 87, 41 lines modified | ||
| 87 | identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·id="guide-tree-leaf-idm29006"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">Restrict·Access·to·Anonymous·Users·if·Possible | 87 | identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·id="guide-tree-leaf-idm29006"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">Restrict·Access·to·Anonymous·Users·if·Possible |
| 88 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than | 88 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than |
| 89 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: | 89 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: |
| 90 | <pre>local_enable=NO</pre> | 90 | <pre>local_enable=NO</pre> |
| 91 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure | 91 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure |
| 92 | these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 92 | these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 94 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_ | 94 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users |
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 96 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 97 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 98 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 99 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·id="guide-tree-leaf-idm29055"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads">Disable·FTP·Uploads·if·Possible | ||
| 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, | ||
| 101 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | ||
| 102 | <pre>write_enable=NO</pre> | ||
| 103 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | ||
| 104 | as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less | ||
| 105 | common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it | ||
| 106 | is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 107 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_home_partition"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_home_partition"·id="guide-tree-leaf-idm29062"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_home_partition">Place·the·FTP·Home·Directory·on·its·Own·Partition | ||
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can | 108 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can |
| 96 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent | 109 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent |
| 97 | these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 110 | these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 98 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm290 | 111 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29066"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions |
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | 112 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> |
| 100 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | 113 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: |
| 101 | <pre>xferlog_enable=YES | 114 | <pre>xferlog_enable=YES |
| 102 | xferlog_std_format=NO | 115 | xferlog_std_format=NO |
| 103 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | 116 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to |
| 104 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | 117 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log |
| 105 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 118 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 106 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 119 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 107 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_r | 120 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 108 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, | ||
| 109 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | ||
| 110 | <pre>write_enable=NO</pre> | ||
| 111 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | ||
| 112 | as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less | ||
| 113 | common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it | ||
| 114 | is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 115 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29067"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 116 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 117 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 118 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 119 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 120 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 121 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and | 121 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and |
| 122 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package | 122 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package |
| 123 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. | 123 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. |
| 124 | <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security | 124 | <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security |
| 125 | and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 125 | and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 126 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 126 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 127 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 127 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| Offset 181, 44 lines modified | Offset 181, 15 lines modified | ||
| 181 | class·install_vsftpd·{ | 181 | class·install_vsftpd·{ |
| 182 | ··package·{·'vsftpd': | 182 | ··package·{·'vsftpd': |
| 183 | ····ensure·=>·'installed', | 183 | ····ensure·=>·'installed', |
| 184 | ··} | 184 | ··} |
| 185 | } | 185 | } |
| 186 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29094">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29094"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> | 186 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29094">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29094"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> |
| 187 | package·--add=vsftpd | 187 | package·--add=vsftpd |
| 188 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 188 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 189 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 190 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 191 | parameters·from·a·server. | ||
| 192 | <br><br> | ||
| 193 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 194 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 195 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 196 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 197 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 198 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 199 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 200 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 201 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29620"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 203 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 204 | following·changes: | ||
| 205 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 206 | <pre>BOOTPROTO=none</pre> | ||
| 207 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 208 | values·based·on·your·site's·addressing·scheme: | ||
| 209 | <pre>NETMASK=255.255.255.0 | ||
| 210 | IPADDR=192.168.1.2 | ||
| 211 | GATEWAY=192.168.1.1</pre> | ||
| 212 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 213 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 214 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 215 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 216 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 217 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 218 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 189 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 219 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 190 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 220 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 191 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 221 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 192 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 222 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 193 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 223 | outside·world. | 194 | outside·world. |
| 224 | <br><br> | 195 | <br><br> |
| Offset 237, 15 lines modified | Offset 208, 15 lines modified | ||
| 237 | <br><br> | 208 | <br><br> |
| 238 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 209 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 239 | servers,·and·the·remainder·obtaining·time·information·from·those | 210 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 240 | internal·servers. | 211 | internal·servers. |
| 241 | <br><br> | 212 | <br><br> |
| 242 | More·information·on·how·to·configure·the·NTP·server·software, | 213 | More·information·on·how·to·configure·the·NTP·server·software, |
| 243 | including·configuration·of·cryptographic·authentication·for | 214 | including·configuration·of·cryptographic·authentication·for |
| 244 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 215 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29623"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 245 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 216 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 246 | ·········· | 217 | ·········· |
| 247 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 218 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| Max diff block lines reached; 1857686/1889690 bytes (98.31%) of diff not shown. | |||
| Offset 61, 15 lines modified | Offset 61, 15 lines modified | ||
| 61 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 61 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 62 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 62 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 63 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 63 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 64 | quality,·reliability,·or·any·other·characteristic. | 64 | quality,·reliability,·or·any·other·characteristic. |
| 65 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· | 65 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· |
| 66 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 66 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 67 | ····························(as·of·2018-07-26) | 67 | ····························(as·of·2018-07-26) |
| 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#x[·...·truncated·by·diffoscope;·len:·732,·SHA1:·2219f187bb27e11bbb6b7ed4731606f600bfb059·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 72 | ones·can·be·safely·disabled. | 72 | ones·can·be·safely·disabled. |
| 73 | <br><br> | 73 | <br><br> |
| 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 333, 218 lines modified | Offset 333, 14 lines modified | ||
| 333 | class·remove_httpd·{ | 333 | class·remove_httpd·{ |
| 334 | ··package·{·'httpd': | 334 | ··package·{·'httpd': |
| 335 | ····ensure·=>·'purged', | 335 | ····ensure·=>·'purged', |
| 336 | ··} | 336 | ··} |
| 337 | } | 337 | } |
| 338 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29187">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29187"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 338 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29187">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29187"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 339 | package·--remove=httpd | 339 | package·--remove=httpd |
| 340 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 341 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 342 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 343 | parameters·from·a·server. | ||
| 344 | <br><br> | ||
| 345 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 346 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 347 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 348 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 349 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 350 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 351 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 352 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 353 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29620"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 354 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 355 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 356 | following·changes: | ||
| 357 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 358 | <pre>BOOTPROTO=none</pre> | ||
| 359 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 360 | values·based·on·your·site's·addressing·scheme: | ||
| 361 | <pre>NETMASK=255.255.255.0 | ||
| 362 | IPADDR=192.168.1.2 | ||
| 363 | GATEWAY=192.168.1.1</pre> | ||
| 364 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 365 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 366 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 367 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 368 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 369 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 370 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 371 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 372 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 373 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29690"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 374 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 375 | the·dhcp·package·can·be·uninstalled. | ||
| 376 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 377 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 378 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 380 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29698">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29698"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 381 | # | ||
| 382 | #·Example·Call(s): | ||
| 383 | # | ||
| 384 | #·····package_remove·telnet-server | ||
| 385 | # | ||
| 386 | function·package_remove·{ | ||
| 387 | #·Load·function·arguments·into·local·variables | ||
| 388 | local·package="$1" | ||
| 389 | #·Check·sanity·of·the·input | ||
| 390 | if·[·$#·-ne·"1"·] | ||
| 391 | then | ||
| 392 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 393 | ··echo·"Aborting." | ||
| 394 | ··exit·1 | ||
| 395 | fi | ||
| 396 | if·which·dnf·;·then | ||
| 397 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 398 | ····dnf·remove·-y·"$package" | ||
| 399 | ··fi | ||
| 400 | elif·which·yum·;·then | ||
| 401 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 402 | ····yum·remove·-y·"$package" | ||
| 403 | ··fi | ||
| 404 | elif·which·apt-get·;·then | ||
| 405 | ··apt-get·remove·-y·"$package" | ||
| 406 | else | ||
| 407 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 408 | ··echo·"Aborting." | ||
| 409 | ··exit·1 | ||
| 410 | fi | ||
| 411 | } | ||
| 412 | package_remove·dhcp | ||
| 413 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29700">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29700"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 414 | ··package: | ||
| 415 | ····name="{{item}}" | ||
| 416 | ····state=absent | ||
| 417 | ··with_items: | ||
| 418 | ····-·dhcp | ||
| 419 | ··tags: | ||
| 420 | ····-·package_dhcp_removed | ||
| 421 | ····-·medium_severity | ||
| 422 | ····-·disable_strategy | ||
| 423 | ····-·low_complexity | ||
| 424 | ····-·low_disruption | ||
| 425 | ····-·CCE-27120-5 | ||
| 426 | ····-·NIST-800-53-CM-7 | ||
| 427 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29701">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29701"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 428 | class·remove_dhcp·{ | ||
| 429 | ··package·{·'dhcp': | ||
| 430 | ····ensure·=>·'purged', | ||
| 431 | ··} | ||
| 432 | } | ||
| 433 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29702">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29702"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 434 | package·--remove=dhcp | ||
| 435 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·id="guide-tree-leaf-idm29707"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">Disable·DHCP·Service | ||
| 436 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>dhcpd</code>·service·should·be·disabled·on | ||
| Max diff block lines reached; 2169348/2193196 bytes (98.91%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 91, 15 lines modified | Offset 91, 15 lines modified | ||
| 91 | <br><br> | 91 | <br><br> |
| 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 93 | servers,·and·the·remainder·obtaining·time·information·from·those | 93 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 94 | internal·servers. | 94 | internal·servers. |
| 95 | <br><br> | 95 | <br><br> |
| 96 | More·information·on·how·to·configure·the·NTP·server·software, | 96 | More·information·on·how·to·configure·the·NTP·server·software, |
| 97 | including·configuration·of·cryptographic·authentication·for | 97 | including·configuration·of·cryptographic·authentication·for |
| 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29623"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 100 | ·········· | 100 | ·········· |
| 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 108, 15 lines modified | Offset 108, 15 lines modified | ||
| 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 109 | logs·and·auditing·possible·security·breaches.·· | 109 | logs·and·auditing·possible·security·breaches.·· |
| 110 | <br><br> | 110 | <br><br> |
| 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 112 | deprecated.··Additional·information·on·this·is·available·at· | 112 | deprecated.··Additional·information·on·this·is·available·at· |
| 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29640">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29640"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 116 | # | 116 | # |
| 117 | #·Example·Call(s): | 117 | #·Example·Call(s): |
| 118 | # | 118 | # |
| 119 | #·····service_command·enable·bluetooth | 119 | #·····service_command·enable·bluetooth |
| 120 | #·····service_command·disable·bluetooth.service | 120 | #·····service_command·disable·bluetooth.service |
| 121 | # | 121 | # |
| 122 | #·····Using·xinetd: | 122 | #·····Using·xinetd: |
| Offset 184, 15 lines modified | Offset 184, 15 lines modified | ||
| 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 185 | ··fi | 185 | ··fi |
| 186 | fi | 186 | fi |
| 187 | } | 187 | } |
| 188 | service_command·enable·ntpd | 188 | service_command·enable·ntpd |
| 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29642">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29642"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 190 | ··service: | 190 | ··service: |
| 191 | ····name="{{item}}" | 191 | ····name="{{item}}" |
| 192 | ····enabled="yes" | 192 | ····enabled="yes" |
| 193 | ····state="started" | 193 | ····state="started" |
| 194 | ··with_items: | 194 | ··with_items: |
| 195 | ····-·ntpd | 195 | ····-·ntpd |
| 196 | ··tags: | 196 | ··tags: |
| Offset 201, 48 lines modified | Offset 201, 48 lines modified | ||
| 201 | ····-·enable_strategy | 201 | ····-·enable_strategy |
| 202 | ····-·low_complexity | 202 | ····-·low_complexity |
| 203 | ····-·low_disruption | 203 | ····-·low_disruption |
| 204 | ····-·CCE-27093-4 | 204 | ····-·CCE-27093-4 |
| 205 | ····-·NIST-800-53-AU-8(1) | 205 | ····-·NIST-800-53-AU-8(1) |
| 206 | ····-·PCI-DSS-Req-10.4 | 206 | ····-·PCI-DSS-Req-10.4 |
| 207 | ····-·DISA-STIG-RHEL-06-000247 | 207 | ····-·DISA-STIG-RHEL-06-000247 |
| 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_ | 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29647"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | ||
| 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | ||
| 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | ||
| 212 | <em>ntpserver</em>: | ||
| 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | ||
| 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | ||
| 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | ||
| 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29792"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server | ||
| 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 210 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 211 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 222 | <pre>server·<i>ntpserver</i></pre> | 212 | <pre>server·<i>ntpserver</i></pre> |
| 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 213 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 214 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 215 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 226 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 216 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 227 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 217 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 228 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_ | 218 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29665"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | ||
| 220 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | ||
| 221 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | ||
| 222 | <em>ntpserver</em>: | ||
| 223 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | ||
| 224 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | ||
| 225 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | ||
| 226 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 227 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 228 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ssh">SSH·Server | ||
| 229 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·SSH·protocol·is·recommended·for·remote·login·and | 229 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·SSH·protocol·is·recommended·for·remote·login·and |
| 230 | remote·file·transfer.·SSH·provides·confidentiality·and·integrity | 230 | remote·file·transfer.·SSH·provides·confidentiality·and·integrity |
| 231 | for·data·exchanged·between·two·systems,·as·well·as·server | 231 | for·data·exchanged·between·two·systems,·as·well·as·server |
| 232 | authentication,·through·the·use·of·public·key·cryptography.·The | 232 | authentication,·through·the·use·of·public·key·cryptography.·The |
| 233 | implementation·included·with·the·system·is·called·OpenSSH,·and·more | 233 | implementation·included·with·the·system·is·called·OpenSSH,·and·more |
| 234 | detailed·documentation·is·available·from·its·website, | 234 | detailed·documentation·is·available·from·its·website, |
| 235 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and | 235 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and |
| 236 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 236 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 237 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 237 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 238 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 238 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 239 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 239 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 240 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 240 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 241 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31 | 241 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31843"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 242 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout | 242 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 243 | interval. | 243 | interval. |
| 244 | After·this·interval·has·passed,·the·idle·user·will·be | 244 | After·this·interval·has·passed,·the·idle·user·will·be |
| 245 | automatically·logged·out. | 245 | automatically·logged·out. |
| 246 | <br><br> | 246 | <br><br> |
| 247 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 247 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 248 | follows: | 248 | follows: |
| Offset 253, 23 lines modified | Offset 253, 23 lines modified | ||
| 253 | If·a·shorter·timeout·has·already·been·set·for·the·login | 253 | If·a·shorter·timeout·has·already·been·set·for·the·login |
| 254 | shell,·that·value·will·preempt·any·SSH | 254 | shell,·that·value·will·preempt·any·SSH |
| 255 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 255 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 256 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 256 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| Max diff block lines reached; 837803/861593 bytes (97.24%) of diff not shown. | |||
| Offset 56, 135 lines modified | Offset 56, 23 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 73 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 74 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 75 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 76 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm29984"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd) | ||
| 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to | ||
| 78 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed | ||
| 79 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not | ||
| 80 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via | ||
| 81 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. | ||
| 82 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: | ||
| 83 | ········<pre>$·sudo·chkconfig·atd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry | ||
| 84 | out·activities·outside·of·a·normal·login·session,·which·could·complicate | ||
| 85 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or | ||
| 86 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 87 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 88 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50442r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm30002">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30002"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 89 | # | ||
| 90 | #·Example·Call(s): | ||
| 91 | # | ||
| 92 | #·····service_command·enable·bluetooth | ||
| 93 | #·····service_command·disable·bluetooth.service | ||
| 94 | # | ||
| 95 | #·····Using·xinetd: | ||
| 96 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 97 | # | ||
| 98 | function·service_command·{ | ||
| 99 | #·Load·function·arguments·into·local·variables | ||
| 100 | local·service_state=$1 | ||
| 101 | local·service=$2 | ||
| 102 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 103 | #·Check·sanity·of·the·input | ||
| 104 | if·[·$#·-lt·"2"·] | ||
| 105 | then | ||
| 106 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 107 | ··echo | ||
| 108 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 109 | ··echo·"as·the·last·argument"·· | ||
| 110 | ··echo·"Aborting." | ||
| 111 | ··exit·1 | ||
| 112 | fi | ||
| 113 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 114 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 115 | ··service_util="/usr/bin/systemctl" | ||
| 116 | else | ||
| 117 | ··service_util="/sbin/service" | ||
| 118 | ··chkconfig_util="/sbin/chkconfig" | ||
| 119 | fi | ||
| 120 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 121 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 122 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 123 | ··service_state="enable" | ||
| 124 | ··service_operation="start" | ||
| 125 | ··chkconfig_state="on" | ||
| 126 | else | ||
| 127 | ··service_state="disable" | ||
| 128 | ··service_operation="stop" | ||
| 129 | ··chkconfig_state="off" | ||
| 130 | fi | ||
| 131 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 132 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 133 | ··$service_util·$service·$service_operation | ||
| 134 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 135 | else | ||
| 136 | ··$service_util·$service_operation·$service | ||
| 137 | ··$service_util·$service_state·$service | ||
| 138 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 139 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 140 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 141 | ··$service_util·reset-failed·$service | ||
| 142 | fi | ||
| 143 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 144 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 145 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 146 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 147 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 148 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 149 | ··else | ||
| 150 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 151 | ··fi | ||
| 152 | fi | ||
| 153 | } | ||
| 154 | service_command·disable·atd | ||
| 155 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm30004">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30004"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd | ||
| 156 | ··service: | ||
| 157 | ····name="{{item}}" | ||
| 158 | ····enabled="no" | ||
| 159 | ····state="stopped" | ||
| 160 | ··register:·service_result | ||
| 161 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 162 | ··with_items: | ||
| 163 | ····-·atd | ||
| 164 | ··tags: | ||
| 165 | ····-·service_atd_disabled | ||
| 166 | ····-·unknown_severity | ||
| 167 | ····-·disable_strategy | ||
| 168 | ····-·low_complexity | ||
| 169 | ····-·low_disruption | ||
| 170 | ····-·CCE-27249-2 | ||
| 171 | ····-·NIST-800-53-CM-7 | ||
| 172 | ····-·DISA-STIG-RHEL-06-000262 | ||
| Max diff block lines reached; 578209/593189 bytes (97.47%) of diff not shown. | |||
| Offset 57, 52 lines modified | Offset 57, 23 lines modified | ||
| 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><[·...·truncated·by·diffoscope;·len:·661,·SHA1:·0654191da42b7edd25844a8803051c26453d234e·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 74 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 75 | parameters·from·a·server. | ||
| 76 | <br><br> | ||
| 77 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 78 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 79 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 80 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 81 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 83 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 84 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 85 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29620"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 86 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 87 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 88 | following·changes: | ||
| 89 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 90 | <pre>BOOTPROTO=none</pre> | ||
| 91 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 92 | values·based·on·your·site's·addressing·scheme: | ||
| 93 | <pre>NETMASK=255.255.255.0 | ||
| 94 | IPADDR=192.168.1.2 | ||
| 95 | GATEWAY=192.168.1.1</pre> | ||
| 96 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 97 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 98 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 99 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 100 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 101 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 102 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 103 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 74 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 104 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 75 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 105 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 76 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 106 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 77 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 107 | outside·world. | 78 | outside·world. |
| 108 | <br><br> | 79 | <br><br> |
| Offset 121, 15 lines modified | Offset 92, 15 lines modified | ||
| 121 | <br><br> | 92 | <br><br> |
| 122 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 93 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 123 | servers,·and·the·remainder·obtaining·time·information·from·those | 94 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 124 | internal·servers. | 95 | internal·servers. |
| 125 | <br><br> | 96 | <br><br> |
| 126 | More·information·on·how·to·configure·the·NTP·server·software, | 97 | More·information·on·how·to·configure·the·NTP·server·software, |
| 127 | including·configuration·of·cryptographic·authentication·for | 98 | including·configuration·of·cryptographic·authentication·for |
| 128 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 99 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29623"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 129 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 130 | ·········· | 101 | ·········· |
| 131 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 102 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 132 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 103 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 133 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 104 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 134 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 105 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 135 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 106 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 138, 15 lines modified | Offset 109, 15 lines modified | ||
| 138 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 109 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 139 | logs·and·auditing·possible·security·breaches.·· | 110 | logs·and·auditing·possible·security·breaches.·· |
| 140 | <br><br> | 111 | <br><br> |
| 141 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 112 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 142 | deprecated.··Additional·information·on·this·is·available·at· | 113 | deprecated.··Additional·information·on·this·is·available·at· |
| 143 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 114 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 144 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 115 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 145 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 116 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29640">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29640"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 146 | # | 117 | # |
| 147 | #·Example·Call(s): | 118 | #·Example·Call(s): |
| 148 | # | 119 | # |
| 149 | #·····service_command·enable·bluetooth | 120 | #·····service_command·enable·bluetooth |
| 150 | #·····service_command·disable·bluetooth.service | 121 | #·····service_command·disable·bluetooth.service |
| 151 | # | 122 | # |
| 152 | #·····Using·xinetd: | 123 | #·····Using·xinetd: |
| Offset 214, 15 lines modified | Offset 185, 15 lines modified | ||
| 214 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 185 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 215 | ··fi | 186 | ··fi |
| 216 | fi | 187 | fi |
| 217 | } | 188 | } |
| 218 | service_command·enable·ntpd | 189 | service_command·enable·ntpd |
| 219 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 190 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29642">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29642"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 220 | ··service: | 191 | ··service: |
| 221 | ····name="{{item}}" | 192 | ····name="{{item}}" |
| 222 | ····enabled="yes" | 193 | ····enabled="yes" |
| 223 | ····state="started" | 194 | ····state="started" |
| 224 | ··with_items: | 195 | ··with_items: |
| 225 | ····-·ntpd | 196 | ····-·ntpd |
| 226 | ··tags: | 197 | ··tags: |
| Offset 231, 320 lines modified | Offset 202, 25 lines modified | ||
| 231 | ····-·enable_strategy | 202 | ····-·enable_strategy |
| 232 | ····-·low_complexity | 203 | ····-·low_complexity |
| 233 | ····-·low_disruption | 204 | ····-·low_disruption |
| 234 | ····-·CCE-27093-4 | 205 | ····-·CCE-27093-4 |
| 235 | ····-·NIST-800-53-AU-8(1) | 206 | ····-·NIST-800-53-AU-8(1) |
| 236 | ····-·PCI-DSS-Req-10.4 | 207 | ····-·PCI-DSS-Req-10.4 |
| 237 | ····-·DISA-STIG-RHEL-06-000247 | 208 | ····-·DISA-STIG-RHEL-06-000247 |
| 238 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29 | 209 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29647"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 239 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 240 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 211 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 241 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 212 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 242 | <pre>server·<i>ntpserver</i></pre> | 213 | <pre>server·<i>ntpserver</i></pre> |
| 243 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 214 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 244 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 215 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 245 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 216 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 246 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 217 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 247 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 218 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 248 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 219 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 249 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 250 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 251 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 252 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 253 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm29967"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service | ||
| 254 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at | ||
| 255 | preconfigured·times.·It·is·required·by·almost·all·systems·to·perform·necessary | ||
| 256 | maintenance·tasks,·such·as·notifying·root·of·system·activity. | ||
| Max diff block lines reached; 1829058/1873907 bytes (97.61%) of diff not shown. | |||
| Offset 58, 15 lines modified | Offset 58, 15 lines modified | ||
| 58 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 58 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 59 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 59 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 60 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 60 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 61 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 61 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 62 | quality,·reliability,·or·any·other·characteristic. | 62 | quality,·reliability,·or·any·other·characteristic. |
| 63 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 63 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 64 | ····························(as·of·2018-07-26) | 64 | ····························(as·of·2018-07-26) |
| 65 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 65 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.[·...·truncated·by·diffoscope;·len:·426,·SHA1:·272d3d702e27eb16cc11a094bca0fa13fa0b2249·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 67 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 67 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 68 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 68 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 69 | ones·can·be·safely·disabled. | 69 | ones·can·be·safely·disabled. |
| 70 | <br><br> | 70 | <br><br> |
| 71 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 71 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 72 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 72 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 93, 15 lines modified | Offset 93, 15 lines modified | ||
| 93 | <br><br> | 93 | <br><br> |
| 94 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 94 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 95 | servers,·and·the·remainder·obtaining·time·information·from·those | 95 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 96 | internal·servers. | 96 | internal·servers. |
| 97 | <br><br> | 97 | <br><br> |
| 98 | More·information·on·how·to·configure·the·NTP·server·software, | 98 | More·information·on·how·to·configure·the·NTP·server·software, |
| 99 | including·configuration·of·cryptographic·authentication·for | 99 | including·configuration·of·cryptographic·authentication·for |
| 100 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 100 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29623"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 102 | ·········· | 102 | ·········· |
| 103 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 103 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 104 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 104 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 105 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 105 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 106 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 106 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 107 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 107 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 110, 15 lines modified | Offset 110, 15 lines modified | ||
| 110 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 110 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 111 | logs·and·auditing·possible·security·breaches.·· | 111 | logs·and·auditing·possible·security·breaches.·· |
| 112 | <br><br> | 112 | <br><br> |
| 113 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 113 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 114 | deprecated.··Additional·information·on·this·is·available·at· | 114 | deprecated.··Additional·information·on·this·is·available·at· |
| 115 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 115 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 116 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 116 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 117 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 117 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29640">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29640"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 118 | # | 118 | # |
| 119 | #·Example·Call(s): | 119 | #·Example·Call(s): |
| 120 | # | 120 | # |
| 121 | #·····service_command·enable·bluetooth | 121 | #·····service_command·enable·bluetooth |
| 122 | #·····service_command·disable·bluetooth.service | 122 | #·····service_command·disable·bluetooth.service |
| 123 | # | 123 | # |
| 124 | #·····Using·xinetd: | 124 | #·····Using·xinetd: |
| Offset 186, 15 lines modified | Offset 186, 15 lines modified | ||
| 186 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 186 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 187 | ··fi | 187 | ··fi |
| 188 | fi | 188 | fi |
| 189 | } | 189 | } |
| 190 | service_command·enable·ntpd | 190 | service_command·enable·ntpd |
| 191 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 191 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29642">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29642"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 192 | ··service: | 192 | ··service: |
| 193 | ····name="{{item}}" | 193 | ····name="{{item}}" |
| 194 | ····enabled="yes" | 194 | ····enabled="yes" |
| 195 | ····state="started" | 195 | ····state="started" |
| 196 | ··with_items: | 196 | ··with_items: |
| 197 | ····-·ntpd | 197 | ····-·ntpd |
| 198 | ··tags: | 198 | ··tags: |
| Offset 203, 238 lines modified | Offset 203, 25 lines modified | ||
| 203 | ····-·enable_strategy | 203 | ····-·enable_strategy |
| 204 | ····-·low_complexity | 204 | ····-·low_complexity |
| 205 | ····-·low_disruption | 205 | ····-·low_disruption |
| 206 | ····-·CCE-27093-4 | 206 | ····-·CCE-27093-4 |
| 207 | ····-·NIST-800-53-AU-8(1) | 207 | ····-·NIST-800-53-AU-8(1) |
| 208 | ····-·PCI-DSS-Req-10.4 | 208 | ····-·PCI-DSS-Req-10.4 |
| 209 | ····-·DISA-STIG-RHEL-06-000247 | 209 | ····-·DISA-STIG-RHEL-06-000247 |
| 210 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29 | 210 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29647"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 211 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 211 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 212 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 212 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 213 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 213 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 214 | <pre>server·<i>ntpserver</i></pre> | 214 | <pre>server·<i>ntpserver</i></pre> |
| 215 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 215 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 216 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 216 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 217 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 217 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 218 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 218 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 219 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 219 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 220 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 220 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 221 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 222 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 223 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 224 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 225 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm29967"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service | ||
| 226 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at | ||
| 227 | preconfigured·times.·It·is·required·by·almost·all·systems·to·perform·necessary | ||
| 228 | maintenance·tasks,·such·as·notifying·root·of·system·activity. | ||
| 229 | ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command: | ||
| 230 | ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks, | ||
| 231 | enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 232 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 233 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29977">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29977"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 234 | # | ||
| 235 | #·Example·Call(s): | ||
| 236 | # | ||
| 237 | #·····service_command·enable·bluetooth | ||
| 238 | #·····service_command·disable·bluetooth.service | ||
| 239 | # | ||
| 240 | #·····Using·xinetd: | ||
| 241 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 242 | # | ||
| 243 | function·service_command·{ | ||
| 244 | #·Load·function·arguments·into·local·variables | ||
| 245 | local·service_state=$1 | ||
| 246 | local·service=$2 | ||
| 247 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 248 | #·Check·sanity·of·the·input | ||
| 249 | if·[·$#·-lt·"2"·] | ||
| 250 | then | ||
| 251 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 252 | ··echo | ||
| 253 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 254 | ··echo·"as·the·last·argument"·· | ||
| 255 | ··echo·"Aborting." | ||
| 256 | ··exit·1 | ||
| 257 | fi | ||
| 258 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 259 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 260 | ··service_util="/usr/bin/systemctl" | ||
| 261 | else | ||
| Max diff block lines reached; 1804883/1835059 bytes (98.36%) of diff not shown. | |||
| Offset 63, 15 lines modified | Offset 63, 15 lines modified | ||
| 63 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 63 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 64 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 64 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 65 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 65 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 66 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 66 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 67 | quality,·reliability,·or·any·other·characteristic. | 67 | quality,·reliability,·or·any·other·characteristic. |
| 68 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 68 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 69 | ····························(as·of·2018-07-26) | 69 | ····························(as·of·2018-07-26) |
| 70 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 70 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href[·...·truncated·by·diffoscope;·len:·837,·SHA1:·9eb0d8fb27d69580f55a433ff04eb02c23276d4a·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 71 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 71 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 72 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 72 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 73 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 73 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 74 | ones·can·be·safely·disabled. | 74 | ones·can·be·safely·disabled. |
| 75 | <br><br> | 75 | <br><br> |
| 76 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 76 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 77 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 77 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 84, 58 lines modified | Offset 84, 29 lines modified | ||
| 84 | <br><br> | 84 | <br><br> |
| 85 | However,·there·are·some·FTP·server·configurations·which·may | 85 | However,·there·are·some·FTP·server·configurations·which·may |
| 86 | be·appropriate·for·some·environments,·particularly·those·which | 86 | be·appropriate·for·some·environments,·particularly·those·which |
| 87 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | 87 | allow·only·read-only·anonymous·access·as·a·means·of·downloading |
| 88 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | 88 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 90 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | 90 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or |
| 91 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_ | 91 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users |
| 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 93 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 94 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 95 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 96 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29066"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | 97 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> |
| 93 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | 98 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: |
| 94 | <pre>xferlog_enable=YES | 99 | <pre>xferlog_enable=YES |
| 95 | xferlog_std_format=NO | 100 | xferlog_std_format=NO |
| 96 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | 101 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to |
| 97 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | 102 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log |
| 98 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 103 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 99 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 104 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 100 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_ | 105 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 102 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 103 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 104 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 105 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 106 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 107 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 108 | parameters·from·a·server. | ||
| 109 | <br><br> | ||
| 110 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 111 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 112 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 113 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 114 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 115 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 116 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 117 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 118 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29620"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 119 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 120 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 121 | following·changes: | ||
| 122 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 123 | <pre>BOOTPROTO=none</pre> | ||
| 124 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 125 | values·based·on·your·site's·addressing·scheme: | ||
| 126 | <pre>NETMASK=255.255.255.0 | ||
| 127 | IPADDR=192.168.1.2 | ||
| 128 | GATEWAY=192.168.1.1</pre> | ||
| 129 | </li></ul></p><span·class="label·label-primary">Rationale:</span><p>DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 130 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 131 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 132 | unacceptable·burden·in·many·circumstances.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 133 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 134 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50480r3_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 135 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 106 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 136 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 107 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 137 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 108 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 138 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 109 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 139 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 110 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 140 | outside·world. | 111 | outside·world. |
| 141 | <br><br> | 112 | <br><br> |
| Offset 154, 15 lines modified | Offset 125, 15 lines modified | ||
| 154 | <br><br> | 125 | <br><br> |
| 155 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 126 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 156 | servers,·and·the·remainder·obtaining·time·information·from·those | 127 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 157 | internal·servers. | 128 | internal·servers. |
| 158 | <br><br> | 129 | <br><br> |
| 159 | More·information·on·how·to·configure·the·NTP·server·software, | 130 | More·information·on·how·to·configure·the·NTP·server·software, |
| 160 | including·configuration·of·cryptographic·authentication·for | 131 | including·configuration·of·cryptographic·authentication·for |
| 161 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 132 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29623"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 133 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 163 | ·········· | 134 | ·········· |
| 164 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 135 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 165 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 136 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 166 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 137 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 167 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 138 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 168 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 139 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 171, 15 lines modified | Offset 142, 15 lines modified | ||
| 171 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 142 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 172 | logs·and·auditing·possible·security·breaches.·· | 143 | logs·and·auditing·possible·security·breaches.·· |
| 173 | <br><br> | 144 | <br><br> |
| 174 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 145 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 175 | deprecated.··Additional·information·on·this·is·available·at· | 146 | deprecated.··Additional·information·on·this·is·available·at· |
| 176 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 147 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 177 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 148 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 178 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 149 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29640">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29640"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 179 | # | 150 | # |
| 180 | #·Example·Call(s): | 151 | #·Example·Call(s): |
| 181 | # | 152 | # |
| 182 | #·····service_command·enable·bluetooth | 153 | #·····service_command·enable·bluetooth |
| 183 | #·····service_command·disable·bluetooth.service | 154 | #·····service_command·disable·bluetooth.service |
| 184 | # | 155 | # |
| 185 | #·····Using·xinetd: | 156 | #·····Using·xinetd: |
| Offset 247, 15 lines modified | Offset 218, 15 lines modified | ||
| 247 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 218 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 248 | ··fi | 219 | ··fi |
| 249 | fi | 220 | fi |
| 250 | } | 221 | } |
| 251 | service_command·enable·ntpd | 222 | service_command·enable·ntpd |
| 252 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 223 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29642">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29642"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 253 | ··service: | 224 | ··service: |
| 254 | ····name="{{item}}" | 225 | ····name="{{item}}" |
| 255 | ····enabled="yes" | 226 | ····enabled="yes" |
| 256 | ····state="started" | 227 | ····state="started" |
| 257 | ··with_items: | 228 | ··with_items: |
| 258 | ····-·ntpd | 229 | ····-·ntpd |
| 259 | ··tags: | 230 | ··tags: |
| Max diff block lines reached; 2258028/2285591 bytes (98.79%) of diff not shown. | |||
| Offset 57, 15 lines modified | Offset 57, 15 lines modified | ||
| 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·988,·SHA1:·72fb730629963fd35d8a9f3a941a3c4bb087dd81·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 432, 198 lines modified | Offset 432, 14 lines modified | ||
| 432 | class·remove_httpd·{ | 432 | class·remove_httpd·{ |
| 433 | ··package·{·'httpd': | 433 | ··package·{·'httpd': |
| 434 | ····ensure·=>·'purged', | 434 | ····ensure·=>·'purged', |
| 435 | ··} | 435 | ··} |
| 436 | } | 436 | } |
| 437 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29187">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29187"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 437 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29187">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29187"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 438 | package·--remove=httpd | 438 | package·--remove=httpd |
| 439 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 440 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 441 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 442 | parameters·from·a·server. | ||
| 443 | <br><br> | ||
| 444 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 445 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 446 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 447 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 448 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable·DHCP·Server | ||
| 449 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·DHCP·server·<code>dhcpd</code>·is·not·installed·or·activated·by | ||
| 450 | default.·If·the·software·was·installed·and·activated,·but·the | ||
| 451 | system·does·not·need·to·act·as·a·DHCP·server,·it·should·be·disabled | ||
| 452 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed"·id="guide-tree-leaf-idm29690"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_dhcp_removed">Uninstall·DHCP·Server·Package | ||
| 453 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_dhcp_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 454 | the·dhcp·package·can·be·uninstalled. | ||
| 455 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 456 | ········<pre>$·sudo·yum·erase·dhcp</pre></p><span·class="label·label-primary">Rationale:</span><p>Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 457 | accidentally·reactivated·and·disrupt·network·operation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 458 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 459 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29698">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29698"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 460 | # | ||
| 461 | #·Example·Call(s): | ||
| 462 | # | ||
| 463 | #·····package_remove·telnet-server | ||
| 464 | # | ||
| 465 | function·package_remove·{ | ||
| 466 | #·Load·function·arguments·into·local·variables | ||
| 467 | local·package="$1" | ||
| 468 | #·Check·sanity·of·the·input | ||
| 469 | if·[·$#·-ne·"1"·] | ||
| 470 | then | ||
| 471 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 472 | ··echo·"Aborting." | ||
| 473 | ··exit·1 | ||
| 474 | fi | ||
| 475 | if·which·dnf·;·then | ||
| 476 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 477 | ····dnf·remove·-y·"$package" | ||
| 478 | ··fi | ||
| 479 | elif·which·yum·;·then | ||
| 480 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 481 | ····yum·remove·-y·"$package" | ||
| 482 | ··fi | ||
| 483 | elif·which·apt-get·;·then | ||
| 484 | ··apt-get·remove·-y·"$package" | ||
| 485 | else | ||
| 486 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 487 | ··echo·"Aborting." | ||
| 488 | ··exit·1 | ||
| 489 | fi | ||
| 490 | } | ||
| 491 | package_remove·dhcp | ||
| 492 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29700">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29700"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·dhcp·is·removed | ||
| 493 | ··package: | ||
| 494 | ····name="{{item}}" | ||
| 495 | ····state=absent | ||
| 496 | ··with_items: | ||
| 497 | ····-·dhcp | ||
| 498 | ··tags: | ||
| 499 | ····-·package_dhcp_removed | ||
| 500 | ····-·medium_severity | ||
| 501 | ····-·disable_strategy | ||
| 502 | ····-·low_complexity | ||
| 503 | ····-·low_disruption | ||
| 504 | ····-·CCE-27120-5 | ||
| 505 | ····-·NIST-800-53-CM-7 | ||
| 506 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29701">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29701"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_dhcp | ||
| 507 | class·remove_dhcp·{ | ||
| 508 | ··package·{·'dhcp': | ||
| 509 | ····ensure·=>·'purged', | ||
| 510 | ··} | ||
| 511 | } | ||
| 512 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29702">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29702"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | ||
| 513 | package·--remove=dhcp | ||
| 514 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_dhcpd_disabled"·id="guide-tree-leaf-idm29707"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">Disable·DHCP·Service | ||
| 515 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_dhcpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>dhcpd</code>·service·should·be·disabled·on | ||
| 516 | any·system·that·does·not·need·to·act·as·a·DHCP·server. | ||
| 517 | ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: | ||
| 518 | ········<pre>$·sudo·chkconfig·dhcpd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>Unmanaged·or·unintentionally·activated·DHCP·servers·may·provide·faulty·information | ||
| 519 | to·clients,·interfering·with·the·operation·of·a·legitimate·site | ||
| 520 | DHCP·server·if·there·is·one.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 521 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 522 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29716">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29716"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 523 | # | ||
| 524 | #·Example·Call(s): | ||
| 525 | # | ||
| 526 | #·····service_command·enable·bluetooth | ||
| 527 | #·····service_command·disable·bluetooth.service | ||
| 528 | # | ||
| 529 | #·····Using·xinetd: | ||
| 530 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 531 | # | ||
| 532 | function·service_command·{ | ||
| 533 | #·Load·function·arguments·into·local·variables | ||
| Max diff block lines reached; 1931615/1953441 bytes (98.88%) of diff not shown. | |||
| Offset 207, 101 lines modified | Offset 207, 101 lines modified | ||
| 207 | ····-·low_disruption | 207 | ····-·low_disruption |
| 208 | ····-·CCE-27336-7 | 208 | ····-·CCE-27336-7 |
| 209 | ····-·NIST-800-53-AC-17(8) | 209 | ····-·NIST-800-53-AC-17(8) |
| 210 | ····-·NIST-800-53-CM-7 | 210 | ····-·NIST-800-53-CM-7 |
| 211 | ····-·NIST-800-53-IA-5(1)(c) | 211 | ····-·NIST-800-53-IA-5(1)(c) |
| 212 | ····-·NIST-800-171-3.1.13 | 212 | ····-·NIST-800-171-3.1.13 |
| 213 | ····-·NIST-800-171-3.4.7 | 213 | ····-·NIST-800-171-3.4.7 |
| 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36088"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 217 | as·a·systemd·socket,·should·be·disabled. | 217 | as·a·systemd·socket,·should·be·disabled. |
| 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 219 | If·using·systemd,· | 219 | If·using·systemd,· |
| 220 | ········The·<code>r | 220 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 221 | ········<pre>$·sudo·systemctl·disable·r | 221 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 222 | means·that·data·from·the·login·session,·including·passwords·and | 222 | means·that·data·from·the·login·session,·including·passwords·and |
| 223 | all·other·information·transmitted·during·the·session,·can·be | 223 | all·other·information·transmitted·during·the·session,·can·be |
| 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 226 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 226 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36113">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36113"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 227 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 227 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 228 | # | 228 | # |
| 229 | #·Disable·r | 229 | #·Disable·rsh.socket·for·all·systemd·targets |
| 230 | # | 230 | # |
| 231 | systemctl·disable·r | 231 | systemctl·disable·rsh.socket |
| 232 | # | 232 | # |
| 233 | #·Stop·r | 233 | #·Stop·rsh.socket·if·currently·running |
| 234 | # | 234 | # |
| 235 | systemctl·stop·r | 235 | systemctl·stop·rsh.socket |
| 236 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 236 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36114">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36114"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 237 | ··service: | 237 | ··service: |
| 238 | ····name="{{item}}" | 238 | ····name="{{item}}" |
| 239 | ····enabled="no" | 239 | ····enabled="no" |
| 240 | ····state="stopped" | 240 | ····state="stopped" |
| 241 | ··register:·service_result | 241 | ··register:·service_result |
| 242 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 242 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 243 | ··with_items: | 243 | ··with_items: |
| 244 | ····-·r | 244 | ····-·rsh |
| 245 | ··tags: | 245 | ··tags: |
| 246 | ····-·service_r | 246 | ····-·service_rsh_disabled |
| 247 | ····-·high_severity | 247 | ····-·high_severity |
| 248 | ····-·disable_strategy | 248 | ····-·disable_strategy |
| 249 | ····-·low_complexity | 249 | ····-·low_complexity |
| 250 | ····-·low_disruption | 250 | ····-·low_disruption |
| 251 | ····-·CCE-27 | 251 | ····-·CCE-27337-5 |
| 252 | ····-·NIST-800-53-AC-17(8) | 252 | ····-·NIST-800-53-AC-17(8) |
| 253 | ····-·NIST-800-53-CM-7 | 253 | ····-·NIST-800-53-CM-7 |
| 254 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 254 | ····-·NIST-800-171-3.1.13 | 255 | ····-·NIST-800-171-3.1.13 |
| 255 | ····-·NIST-800-171-3.4.7 | 256 | ····-·NIST-800-171-3.4.7 |
| 256 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 257 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36119"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 257 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 258 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 258 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 259 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 259 | as·a·systemd·socket,·should·be·disabled. | 260 | as·a·systemd·socket,·should·be·disabled. |
| 260 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 261 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 261 | If·using·systemd,· | 262 | If·using·systemd,· |
| 262 | ········The·<code>r | 263 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 263 | ········<pre>$·sudo·systemctl·disable·r | 264 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 264 | means·that·data·from·the·login·session,·including·passwords·and | 265 | means·that·data·from·the·login·session,·including·passwords·and |
| 265 | all·other·information·transmitted·during·the·session,·can·be | 266 | all·other·information·transmitted·during·the·session,·can·be |
| 266 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 267 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 267 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 268 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 268 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 269 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36143">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36143"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 269 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 270 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 270 | # | 271 | # |
| 271 | #·Disable·r | 272 | #·Disable·rexec.socket·for·all·systemd·targets |
| 272 | # | 273 | # |
| 273 | systemctl·disable·r | 274 | systemctl·disable·rexec.socket |
| 274 | # | 275 | # |
| 275 | #·Stop·r | 276 | #·Stop·rexec.socket·if·currently·running |
| 276 | # | 277 | # |
| 277 | systemctl·stop·r | 278 | systemctl·stop·rexec.socket |
| 278 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 279 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36144">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36144"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 279 | ··service: | 280 | ··service: |
| 280 | ····name="{{item}}" | 281 | ····name="{{item}}" |
| 281 | ····enabled="no" | 282 | ····enabled="no" |
| 282 | ····state="stopped" | 283 | ····state="stopped" |
| 283 | ··register:·service_result | 284 | ··register:·service_result |
| 284 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 285 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 285 | ··with_items: | 286 | ··with_items: |
| 286 | ····-·r | 287 | ····-·rexec |
| 287 | ··tags: | 288 | ··tags: |
| 288 | ····-·service_r | 289 | ····-·service_rexec_disabled |
| 289 | ····-·high_severity | 290 | ····-·high_severity |
| 290 | ····-·disable_strategy | 291 | ····-·disable_strategy |
| 291 | ····-·low_complexity | 292 | ····-·low_complexity |
| 292 | ····-·low_disruption | 293 | ····-·low_disruption |
| 293 | ····-·CCE-27 | 294 | ····-·CCE-27408-4 |
| 294 | ····-·NIST-800-53-AC-17(8) | 295 | ····-·NIST-800-53-AC-17(8) |
| 295 | ····-·NIST-800-53-CM-7 | 296 | ····-·NIST-800-53-CM-7 |
| 296 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 297 | ····-·NIST-800-171-3.1.13 | 297 | ····-·NIST-800-171-3.1.13 |
| 298 | ····-·NIST-800-171-3.4.7 | 298 | ····-·NIST-800-171-3.4.7 |
| 299 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·id="guide-tree-leaf-idm36183"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files">Remove·Rsh·Trust·Files | 299 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_rsh_trust_files"·id="guide-tree-leaf-idm36183"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files">Remove·Rsh·Trust·Files |
| 300 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_rsh_trust_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·files·<code>/etc/hosts.equiv</code>·and·<code>~/.rhosts</code>·(in | 300 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_rsh_trust_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·files·<code>/etc/hosts.equiv</code>·and·<code>~/.rhosts</code>·(in |
| 301 | each·user's·home·directory)·list·remote·hosts·and·users·that·are·trusted·by·the | 301 | each·user's·home·directory)·list·remote·hosts·and·users·that·are·trusted·by·the |
| 302 | local·system·when·using·the·rshd·daemon. | 302 | local·system·when·using·the·rshd·daemon. |
| 303 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | 303 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any |
| Offset 733, 96 lines modified | Offset 733, 25 lines modified | ||
| 733 | ····-·NIST-800-53-AC-17(8) | 733 | ····-·NIST-800-53-AC-17(8) |
| 734 | ····-·NIST-800-53-CM-7 | 734 | ····-·NIST-800-53-CM-7 |
| 735 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 735 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 736 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 736 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 737 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 737 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 738 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 738 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 739 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 739 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 740 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 740 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36471"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 741 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_tcp_wrappers_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>When·network·services·are·using·the·<code>xinetd</code>·service,·the | ||
| 742 | <code>tcp_wrappers</code>·package·should·be·installed. | ||
| 743 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: | ||
| 744 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre></p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture | ||
| 745 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | ||
| 746 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 747 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 748 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.4.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36483">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36483"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 749 | # | ||
| 750 | #·Example·Call(s): | ||
| 751 | # | ||
| 752 | #·····package_install·aide | ||
| 753 | # | ||
| 754 | function·package_install·{ | ||
| Max diff block lines reached; 864562/889934 bytes (97.15%) of diff not shown. | |||
| Offset 1221, 15 lines modified | Offset 1221, 15 lines modified | ||
| 1221 | The·following·recommendations·describe·how·to·strengthen·the | 1221 | The·following·recommendations·describe·how·to·strengthen·the |
| 1222 | default·ruleset·configuration·file.·An·alternative·to·editing·this | 1222 | default·ruleset·configuration·file.·An·alternative·to·editing·this |
| 1223 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to | 1223 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to |
| 1224 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> | 1224 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> |
| 1225 | and·<code>/etc/firewalld/zones</code>·directories. | 1225 | and·<code>/etc/firewalld/zones</code>·directories. |
| 1226 | <br><br> | 1226 | <br><br> |
| 1227 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address | 1227 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address |
| 1228 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm4 | 1228 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm40865"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">Set·Default·firewalld·Zone·for·Incoming·Packets |
| 1229 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for | 1229 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for |
| 1230 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, | 1230 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, |
| 1231 | modify·the·following·line·in | 1231 | modify·the·following·line·in |
| 1232 | <code>/etc/firewalld/firewalld.conf</code>·to·be: | 1232 | <code>/etc/firewalld/firewalld.conf</code>·to·be: |
| 1233 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all | 1233 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all |
| 1234 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the | 1234 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the |
| 1235 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. | 1235 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. |
| Offset 1294, 24 lines modified | Offset 1294, 24 lines modified | ||
| 1294 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn | 1294 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn |
| 1295 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind | 1295 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind |
| 1296 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client | 1296 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client |
| 1297 | vnc-server·wbem-https | 1297 | vnc-server·wbem-https |
| 1298 | </pre> | 1298 | </pre> |
| 1299 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld | 1299 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld |
| 1300 | service·reload,·enter·the·following·command·as·root: | 1300 | service·reload,·enter·the·following·command·as·root: |
| 1301 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm4 | 1301 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm40990"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled">Verify·firewalld·Enabled |
| 1302 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 1302 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 1303 | ·············· | 1303 | ·············· |
| 1304 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: | 1304 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: |
| 1305 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> | 1305 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> |
| 1306 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture | 1306 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture |
| 1307 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | 1307 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This |
| 1308 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1308 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1309 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1309 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1310 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1310 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41004">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41004"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 1311 | # | 1311 | # |
| 1312 | #·Example·Call(s): | 1312 | #·Example·Call(s): |
| 1313 | # | 1313 | # |
| 1314 | #·····service_command·enable·bluetooth | 1314 | #·····service_command·enable·bluetooth |
| 1315 | #·····service_command·disable·bluetooth.service | 1315 | #·····service_command·disable·bluetooth.service |
| 1316 | # | 1316 | # |
| 1317 | #·····Using·xinetd: | 1317 | #·····Using·xinetd: |
| Offset 1379, 15 lines modified | Offset 1379, 15 lines modified | ||
| 1379 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 1379 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 1380 | ··fi | 1380 | ··fi |
| 1381 | fi | 1381 | fi |
| 1382 | } | 1382 | } |
| 1383 | service_command·enable·firewalld | 1383 | service_command·enable·firewalld |
| 1384 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1384 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41006">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41006"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·firewalld |
| 1385 | ··service: | 1385 | ··service: |
| 1386 | ····name="{{item}}" | 1386 | ····name="{{item}}" |
| 1387 | ····enabled="yes" | 1387 | ····enabled="yes" |
| 1388 | ····state="started" | 1388 | ····state="started" |
| 1389 | ··with_items: | 1389 | ··with_items: |
| 1390 | ····-·firewalld | 1390 | ····-·firewalld |
| 1391 | ··tags: | 1391 | ··tags: |
| Offset 1537, 39 lines modified | Offset 1537, 41 lines modified | ||
| 1537 | ····-·NIST-800-53-AC-4 | 1537 | ····-·NIST-800-53-AC-4 |
| 1538 | ····-·NIST-800-53-CM-7 | 1538 | ····-·NIST-800-53-CM-7 |
| 1539 | ····-·NIST-800-53-SC-5 | 1539 | ····-·NIST-800-53-SC-5 |
| 1540 | ····-·NIST-800-53-SC-7 | 1540 | ····-·NIST-800-53-SC-7 |
| 1541 | ····-·NIST-800-171-3.1.20 | 1541 | ····-·NIST-800-171-3.1.20 |
| 1542 | ····-·CJIS-5.10.1.1 | 1542 | ····-·CJIS-5.10.1.1 |
| 1543 | ····-·DISA-STIG-RHEL-07-040620 | 1543 | ····-·DISA-STIG-RHEL-07-040620 |
| 1544 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ | 1544 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects"·id="guide-tree-leaf-idm41513"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network_host_and_router_parameters"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects">Configure·Kernel·Parameter·for·Accepting·ICMP·Redirects·By·Default |
| 1545 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ | 1545 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 1546 | ·············· | 1546 | ·············· |
| 1547 | ····To·set·the·runtime·status·of·the·<code>net.ipv4. | 1547 | ····To·set·the·runtime·status·of·the·<code>net.ipv4.conf.default.accept_redirects</code>·kernel·parameter, |
| 1548 | ····run·the·following·command: | 1548 | ····run·the·following·command: |
| 1549 | ····<pre·xml:space="preserve">$·sudo·sysctl·-w·net.ipv4. | 1549 | ····<pre·xml:space="preserve">$·sudo·sysctl·-w·net.ipv4.conf.default.accept_redirects=0</pre> |
| 1550 | ····If·this·is·not·the·system's·default·value,·add·the·following·line·to·<code>/etc/sysctl.conf</code>: | 1550 | ····If·this·is·not·the·system's·default·value,·add·the·following·line·to·<code>/etc/sysctl.conf</code>: |
| 1551 | ····<pre·xml:space="preserve">net.ipv4. | 1551 | ····<pre·xml:space="preserve">net.ipv4.conf.default.accept_redirects·=·0</pre> |
| 1552 | ············</p><span·class="label·label-primary">Rationale:</span><p> | 1552 | ············</p><span·class="label·label-primary">Rationale:</span><p>ICMP·redirect·messages·are·used·by·routers·to·inform·hosts·that·a·more·direct |
| 1553 | 1553 | route·exists·for·a·particular·destination.·These·messages·modify·the·host's·route·table | |
| 1554 | and·are·unauthenticated.·An·illicit·ICMP·redirect·message·could·result·in·a·man-in-the-middle | ||
| 1555 | attack. | ||
| 1554 | <br> | 1556 | <br> |
| 1555 | 1557 | This·feature·of·the·IPv4·protocol·has·few·legitimate·uses.·It·should·be·disabled·unless· | |
| 1556 | a | 1558 | absolutely·required.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1557 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1559 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1558 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-8691 | 1560 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86913r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.2</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41532">(show)</a><br></br><[·...·truncated·by·diffoscope;·len:·48,·SHA1:·bc9975a5d01e7d31da2de06fb4d4d047503030ff·...·]"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 1559 | sysctl_net_ipv4_ | 1561 | sysctl_net_ipv4_conf_default_accept_redirects_value="<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value">(N/A)</abbr>" |
| 1560 | # | 1562 | # |
| 1561 | #·Set·runtime·for·net.ipv4. | 1563 | #·Set·runtime·for·net.ipv4.conf.default.accept_redirects |
| 1562 | # | 1564 | # |
| 1563 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 1565 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf.default.accept_redirects=$sysctl_net_ipv4_conf_default_accept_redirects_value |
| 1564 | # | 1566 | # |
| 1565 | #·If·net.ipv4. | 1567 | #·If·net.ipv4.conf.default.accept_redirects·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1566 | #» else,·add·"net.ipv4. | 1568 | #» else,·add·"net.ipv4.conf.default.accept_redirects·=·value"·to·/etc/sysctl.conf |
| 1567 | # | 1569 | # |
| 1568 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1570 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1569 | #·it·does·not·exist. | 1571 | #·it·does·not·exist. |
| 1570 | # | 1572 | # |
| 1571 | #·Expects·arguments: | 1573 | #·Expects·arguments: |
| 1572 | # | 1574 | # |
| 1573 | #·config_file:» » Configuration·file·that·will·be·modified | 1575 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1641, 67 lines modified | Offset 1643, 68 lines modified | ||
| 1641 | ··else | 1643 | ··else |
| 1642 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1644 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1643 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1645 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1644 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1646 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1645 | ··fi | 1647 | ··fi |
| 1646 | } | 1648 | } |
| 1647 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4. | 1649 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_redirects'·"$sysctl_net_ipv4_conf_default_accept_redirects_value"·'CCE-80163-9' |
| 1648 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm415 | 1650 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41535">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41535"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·XCCDF·Value·sysctl_net_ipv4_conf_default_accept_redirects_value·#·promote·to·variable |
| 1649 | ··set_fact: | 1651 | ··set_fact: |
| 1650 | ····sysctl_net_ipv4_ | 1652 | ····sysctl_net_ipv4_conf_default_accept_redirects_value:·<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value">(N/A)</abbr> |
| 1651 | ··tags: | 1653 | ··tags: |
| 1652 | ····-·always | 1654 | ····-·always |
| 1653 | -·name:·Ensure·sysctl·net.ipv4. | 1655 | -·name:·Ensure·sysctl·net.ipv4.conf.default.accept_redirects·is·set |
| 1654 | ··sysctl: | 1656 | ··sysctl: |
| 1655 | ····name:·net.ipv4. | 1657 | ····name:·net.ipv4.conf.default.accept_redirects |
| 1656 | ····value:·"{{·sysctl_net_ipv4_ | 1658 | ····value:·"{{·sysctl_net_ipv4_conf_default_accept_redirects_value·}}" |
| 1657 | ····state:·present | 1659 | ····state:·present |
| 1658 | ····reload:·yes | 1660 | ····reload:·yes |
| 1659 | ··tags: | 1661 | ··tags: |
| 1660 | ····-·sysctl_net_ipv4_ | 1662 | ····-·sysctl_net_ipv4_conf_default_accept_redirects |
| 1661 | ····-·medium_severity | 1663 | ····-·medium_severity |
| 1662 | ····-·disable_strategy | 1664 | ····-·disable_strategy |
| 1663 | ····-·low_complexity | 1665 | ····-·low_complexity |
| 1664 | ····-·medium_disruption | 1666 | ····-·medium_disruption |
| 1665 | ····-·CCE-8016 | 1667 | ····-·CCE-80163-9 |
| 1666 | ····-·NIST-800-53-AC-4 | 1668 | ····-·NIST-800-53-AC-4 |
| Max diff block lines reached; 471579/491388 bytes (95.97%) of diff not shown. | |||
| Offset 204, 15 lines modified | Offset 204, 39 lines modified | ||
| 204 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_quagga">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Quagga·was·installed·and·activated,·but·the·system | 204 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_quagga">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Quagga·was·installed·and·activated,·but·the·system |
| 205 | does·not·need·to·act·as·a·router,·then·it·should·be·disabled | 205 | does·not·need·to·act·as·a·router,·then·it·should·be·disabled |
| 206 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_quagga"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_routing"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server | 206 | and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_quagga"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_routing"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server |
| 207 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at | 207 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at |
| 208 | least·one·nameserver.·However,·there·are·many·common·attacks | 208 | least·one·nameserver.·However,·there·are·many·common·attacks |
| 209 | involving·DNS·server·software,·and·this·server·software·should | 209 | involving·DNS·server·software,·and·this·server·software·should |
| 210 | be·disabled·on·any·system | 210 | be·disabled·on·any·system |
| 211 | on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_ | 211 | on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_isolation">Isolate·DNS·from·Other·Services |
| 212 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server | ||
| 213 | from·interfering·with·other·services.·This·is·done·both·to·protect·the | ||
| 214 | remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct | ||
| 215 | attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail | ||
| 216 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package: | ||
| 217 | <pre>$·sudo·yum·install·bind-chroot</pre> | ||
| 218 | Place·a·valid·named.conf·file·inside·the·chroot·jail: | ||
| 219 | <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf | ||
| 220 | $·sudo·chown·root:root·/var/named/chroot/etc/named.conf | ||
| 221 | $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre> | ||
| 222 | Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the | ||
| 223 | options·directive.·If·your·<code>named.conf</code>·includes: | ||
| 224 | <pre>options·{ | ||
| 225 | directory·"/path/to/DIRNAME·"; | ||
| 226 | ... | ||
| 227 | }</pre> | ||
| 228 | then·copy·that·directory·and·its·contents·from·the·original·zone·directory: | ||
| 229 | <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre> | ||
| 230 | Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>: | ||
| 231 | <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers | ||
| 232 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is | ||
| 233 | a·high-risk·service·which·must·frequently·be·made·available·to·the·entire | ||
| 234 | Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by | ||
| 235 | systems·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_protection">Protect·DNS·Data·from·Tampering·or·Attack | ||
| 212 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_protection">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·DNS·configuration·options·which·make·it | 236 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_protection">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·DNS·configuration·options·which·make·it |
| 213 | more·difficult·for·attackers·to·gain·access·to·private·DNS·data·or·to·modify | 237 | more·difficult·for·attackers·to·gain·access·to·private·DNS·data·or·to·modify |
| 214 | DNS·data.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">Run·Separate·DNS·Servers·for·External·and·Internal·Queries | 238 | DNS·data.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">Run·Separate·DNS·Servers·for·External·and·Internal·Queries |
| 215 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Is·it·possible·to·run·external·and·internal·nameservers·on | 239 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Is·it·possible·to·run·external·and·internal·nameservers·on |
| 216 | separate·systems?·If·so,·follow·the·configuration·guidance·in·this·section.·On | 240 | separate·systems?·If·so,·follow·the·configuration·guidance·in·this·section.·On |
| 217 | the·external·nameserver,·edit·<code>/etc/named.conf</code>·to·add·or·correct·the | 241 | the·external·nameserver,·edit·<code>/etc/named.conf</code>·to·add·or·correct·the |
| 218 | following·directives: | 242 | following·directives: |
| Offset 260, 39 lines modified | Offset 284, 15 lines modified | ||
| 260 | view·"external-view"·{ | 284 | view·"external-view"·{ |
| 261 | ··match-clients·{·any;·}; | 285 | ··match-clients·{·any;·}; |
| 262 | ··recursion·no; | 286 | ··recursion·no; |
| 263 | ··zone·"example.com·"·IN·{ | 287 | ··zone·"example.com·"·IN·{ |
| 264 | ····... | 288 | ····... |
| 265 | ··}; | 289 | ··}; |
| 266 | };</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_partition_with_views"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_d | 290 | };</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_partition_with_views"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dns_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dns_server">Disable·DNS·Server |
| 267 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server | ||
| 268 | from·interfering·with·other·services.·This·is·done·both·to·protect·the | ||
| 269 | remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct | ||
| 270 | attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail | ||
| 271 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package: | ||
| 272 | <pre>$·sudo·yum·install·bind-chroot</pre> | ||
| 273 | Place·a·valid·named.conf·file·inside·the·chroot·jail: | ||
| 274 | <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf | ||
| 275 | $·sudo·chown·root:root·/var/named/chroot/etc/named.conf | ||
| 276 | $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre> | ||
| 277 | Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the | ||
| 278 | options·directive.·If·your·<code>named.conf</code>·includes: | ||
| 279 | <pre>options·{ | ||
| 280 | directory·"/path/to/DIRNAME·"; | ||
| 281 | ... | ||
| 282 | }</pre> | ||
| 283 | then·copy·that·directory·and·its·contents·from·the·original·zone·directory: | ||
| 284 | <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre> | ||
| 285 | Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>: | ||
| 286 | <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers | ||
| 287 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is | ||
| 288 | a·high-risk·service·which·must·frequently·be·made·available·to·the·entire | ||
| 289 | Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by | ||
| 290 | systems·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dns_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dns_server">Disable·DNS·Server | ||
| 291 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dns_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DNS·software·should·be·disabled·on·any·systems·which·does·not | 291 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dns_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DNS·software·should·be·disabled·on·any·systems·which·does·not |
| 292 | need·to·be·a·nameserver.·Note·that·the·BIND·DNS·server·software·is | 292 | need·to·be·a·nameserver.·Note·that·the·BIND·DNS·server·software·is |
| 293 | not·installed·on·Red·Hat·Enterprise·Linux·7·by·default.·The·remainder·of·this·section | 293 | not·installed·on·Red·Hat·Enterprise·Linux·7·by·default.·The·remainder·of·this·section |
| 294 | discusses·secure·configuration·of·systems·which·must·be | 294 | discusses·secure·configuration·of·systems·which·must·be |
| 295 | nameservers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ldap">LDAP | 295 | nameservers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dns_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ldap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ldap">LDAP |
| 296 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>LDAP·is·a·popular·directory·service,·that·is,·a | 296 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>LDAP·is·a·popular·directory·service,·that·is,·a |
| 297 | standardized·way·of·looking·up·information·from·a·central·database. | 297 | standardized·way·of·looking·up·information·from·a·central·database. |
| Offset 1076, 30 lines modified | Offset 1076, 30 lines modified | ||
| 1076 | include·setuid·programs·may·provide·local·attackers·a·potential·path·to | 1076 | include·setuid·programs·may·provide·local·attackers·a·potential·path·to |
| 1077 | privilege·escalation.·Packages·that·include·network·services·may·give | 1077 | privilege·escalation.·Packages·that·include·network·services·may·give |
| 1078 | this·opportunity·to·network-based·attackers.·Packages·that·include | 1078 | this·opportunity·to·network-based·attackers.·Packages·that·include |
| 1079 | programs·which·are·predictably·executed·by·local·users·(e.g.·after | 1079 | programs·which·are·predictably·executed·by·local·users·(e.g.·after |
| 1080 | graphical·login)·may·provide·opportunities·for·trojan·horses·or·other | 1080 | graphical·login)·may·provide·opportunities·for·trojan·horses·or·other |
| 1081 | attack·code·to·be·run·undetected.·The·number·of·software·packages | 1081 | attack·code·to·be·run·undetected.·The·number·of·software·packages |
| 1082 | installed·on·a·system·can·almost·always·be·significantly·pruned·to·include | 1082 | installed·on·a·system·can·almost·always·be·significantly·pruned·to·include |
| 1083 | only·the·software·for·which·there·is·an·environmental·or·operational·need.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-minimize-software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle- | 1083 | only·the·software·for·which·there·is·an·environmental·or·operational·need.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-minimize-software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-least-privilege"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-least-privilege">Least·Privilege |
| 1084 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-use-security-tools">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Several·tools·exist·which·can·be·effectively·used·to·improve·a·system's | ||
| 1085 | resistance·to·and·detection·of·unknown·attacks.·These·tools·can·improve | ||
| 1086 | robustness·against·attack·at·the·cost·of·relatively·little·configuration | ||
| 1087 | effort.·In·particular,·this·guide·recommends·and·discusses·the·use·of | ||
| 1088 | host-based·firewalling,·SELinux·for·protection·against | ||
| 1089 | vulnerable·services,·and·a·logging·and·auditing·infrastructure·for | ||
| 1090 | detection·of·problems.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-use-security-tools"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-least-privilege"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-least-privilege">Least·Privilege | ||
| 1091 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-least-privilege">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Grant·the·least·privilege·necessary·for·user·accounts·and·software·to·perform·tasks. | 1084 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-least-privilege">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Grant·the·least·privilege·necessary·for·user·accounts·and·software·to·perform·tasks. |
| 1092 | For·example,·<code>sudo</code>·can·be·implemented·to·limit·authorization·to·super·user | 1085 | For·example,·<code>sudo</code>·can·be·implemented·to·limit·authorization·to·super·user |
| 1093 | accounts·on·the·system·only·to·designated·personnel.·Another·example·is·to·limit | 1086 | accounts·on·the·system·only·to·designated·personnel.·Another·example·is·to·limit |
| 1094 | logins·on·server·systems·to·only·those·administrators·who·need·to·log·into·them·in | 1087 | logins·on·server·systems·to·only·those·administrators·who·need·to·log·into·them·in |
| 1095 | order·to·perform·administration·tasks.·Using·SELinux·also·follows·the·principle·of | 1088 | order·to·perform·administration·tasks.·Using·SELinux·also·follows·the·principle·of |
| 1096 | least·privilege:·SELinux·policy·can·confine·software·to·perform·only·actions·on·the | 1089 | least·privilege:·SELinux·policy·can·confine·software·to·perform·only·actions·on·the |
| 1097 | system·that·are·specifically·allowed.·This·can·be·far·more·restrictive·than·the | 1090 | system·that·are·specifically·allowed.·This·can·be·far·more·restrictive·than·the |
| 1098 | actions·permissible·by·the·traditional·Unix·permissions·model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-se | 1091 | actions·permissible·by·the·traditional·Unix·permissions·model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-least-privilege"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-use-security-tools"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-use-security-tools"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-use-security-tools">Configure·Security·Tools·to·Improve·System·Robustness |
| 1092 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-use-security-tools">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Several·tools·exist·which·can·be·effectively·used·to·improve·a·system's | ||
| 1093 | resistance·to·and·detection·of·unknown·attacks.·These·tools·can·improve | ||
| 1094 | robustness·against·attack·at·the·cost·of·relatively·little·configuration | ||
| 1095 | effort.·In·particular,·this·guide·recommends·and·discusses·the·use·of | ||
| 1096 | host-based·firewalling,·SELinux·for·protection·against | ||
| 1097 | vulnerable·services,·and·a·logging·and·auditing·infrastructure·for | ||
| 1098 | detection·of·problems.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-use-security-tools"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-separate-servers"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-separate-servers"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-separate-servers">Run·Different·Network·Services·on·Separate·Systems | ||
| 1099 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-separate-servers">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Whenever·possible,·a·server·should·be·dedicated·to·serving·exactly·one | 1099 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-separate-servers">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Whenever·possible,·a·server·should·be·dedicated·to·serving·exactly·one |
| 1100 | network·service.·This·limits·the·number·of·other·services·that·can | 1100 | network·service.·This·limits·the·number·of·other·services·that·can |
| 1101 | be·compromised·in·the·event·that·an·attacker·is·able·to·successfully | 1101 | be·compromised·in·the·event·that·an·attacker·is·able·to·successfully |
| 1102 | exploit·a·software·flaw·in·one·network·service.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-separate-servers"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">Encrypt·Transmitted·Data·Whenever·Possible | 1102 | exploit·a·software·flaw·in·one·network·service.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_principle-separate-servers"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">Encrypt·Transmitted·Data·Whenever·Possible |
| 1103 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Data·transmitted·over·a·network,·whether·wired·or·wireless,·is·susceptible | 1103 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Data·transmitted·over·a·network,·whether·wired·or·wireless,·is·susceptible |
| 1104 | to·passive·monitoring.·Whenever·practical·solutions·for·encrypting | 1104 | to·passive·monitoring.·Whenever·practical·solutions·for·encrypting |
| 1105 | such·data·exist,·they·should·be·applied.·Even·if·data·is·expected·to | 1105 | such·data·exist,·they·should·be·applied.·Even·if·data·is·expected·to |
| Offset 1164, 15 lines modified | Offset 1164, 35 lines modified | ||
| 1164 | especially·in·periods·of·high·traffic·which·may·be·the·result·of·an | 1164 | especially·in·periods·of·high·traffic·which·may·be·the·result·of·an |
| 1165 | attack.·In·addition,·remote·<code>rsyslog</code>·messages·are·not | 1165 | attack.·In·addition,·remote·<code>rsyslog</code>·messages·are·not |
| 1166 | authenticated·in·any·way·by·default,·so·it·is·easy·for·an·attacker·to | 1166 | authenticated·in·any·way·by·default,·so·it·is·easy·for·an·attacker·to |
| 1167 | introduce·spurious·messages·to·the·central·log·server.·Also,·some | 1167 | introduce·spurious·messages·to·the·central·log·server.·Also,·some |
| 1168 | problems·cause·loss·of·network·connectivity,·which·will·prevent·the | 1168 | problems·cause·loss·of·network·connectivity,·which·will·prevent·the |
| 1169 | sending·of·messages·to·the·central·server.·For·all·of·these·reasons,·it·is | 1169 | sending·of·messages·to·the·central·server.·For·all·of·these·reasons,·it·is |
| 1170 | better·to·store·log·messages·both·centrally·and·on·each·host,·so | 1170 | better·to·store·log·messages·both·centrally·and·on·each·host,·so |
| 1171 | that·they·can·be·correlated·if·necessary.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_sending_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 1171 | that·they·can·be·correlated·if·necessary.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_sending_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_log_rotation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_log_rotation">Ensure·All·Logs·are·Rotated·by·<tt>logrotate</tt> |
| 1172 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_log_rotation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Edit·the·file·<code>/etc/logrotate.d/syslog</code>.·Find·the·first | ||
| Max diff block lines reached; 51591/77709 bytes (66.39%) of diff not shown. | |||
| Offset 205, 101 lines modified | Offset 205, 101 lines modified | ||
| 205 | ····-·low_disruption | 205 | ····-·low_disruption |
| 206 | ····-·CCE-27336-7 | 206 | ····-·CCE-27336-7 |
| 207 | ····-·NIST-800-53-AC-17(8) | 207 | ····-·NIST-800-53-AC-17(8) |
| 208 | ····-·NIST-800-53-CM-7 | 208 | ····-·NIST-800-53-CM-7 |
| 209 | ····-·NIST-800-53-IA-5(1)(c) | 209 | ····-·NIST-800-53-IA-5(1)(c) |
| 210 | ····-·NIST-800-171-3.1.13 | 210 | ····-·NIST-800-171-3.1.13 |
| 211 | ····-·NIST-800-171-3.4.7 | 211 | ····-·NIST-800-171-3.4.7 |
| 212 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 212 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36088"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 214 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 214 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 215 | as·a·systemd·socket,·should·be·disabled. | 215 | as·a·systemd·socket,·should·be·disabled. |
| 216 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 216 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 217 | If·using·systemd,· | 217 | If·using·systemd,· |
| 218 | ········The·<code>r | 218 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 219 | ········<pre>$·sudo·systemctl·disable·r | 219 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 220 | means·that·data·from·the·login·session,·including·passwords·and | 220 | means·that·data·from·the·login·session,·including·passwords·and |
| 221 | all·other·information·transmitted·during·the·session,·can·be | 221 | all·other·information·transmitted·during·the·session,·can·be |
| 222 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 222 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 223 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 223 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 224 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 224 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36113">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36113"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 225 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 225 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 226 | # | 226 | # |
| 227 | #·Disable·r | 227 | #·Disable·rsh.socket·for·all·systemd·targets |
| 228 | # | 228 | # |
| 229 | systemctl·disable·r | 229 | systemctl·disable·rsh.socket |
| 230 | # | 230 | # |
| 231 | #·Stop·r | 231 | #·Stop·rsh.socket·if·currently·running |
| 232 | # | 232 | # |
| 233 | systemctl·stop·r | 233 | systemctl·stop·rsh.socket |
| 234 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 234 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36114">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36114"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 235 | ··service: | 235 | ··service: |
| 236 | ····name="{{item}}" | 236 | ····name="{{item}}" |
| 237 | ····enabled="no" | 237 | ····enabled="no" |
| 238 | ····state="stopped" | 238 | ····state="stopped" |
| 239 | ··register:·service_result | 239 | ··register:·service_result |
| 240 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 240 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 241 | ··with_items: | 241 | ··with_items: |
| 242 | ····-·r | 242 | ····-·rsh |
| 243 | ··tags: | 243 | ··tags: |
| 244 | ····-·service_r | 244 | ····-·service_rsh_disabled |
| 245 | ····-·high_severity | 245 | ····-·high_severity |
| 246 | ····-·disable_strategy | 246 | ····-·disable_strategy |
| 247 | ····-·low_complexity | 247 | ····-·low_complexity |
| 248 | ····-·low_disruption | 248 | ····-·low_disruption |
| 249 | ····-·CCE-27 | 249 | ····-·CCE-27337-5 |
| 250 | ····-·NIST-800-53-AC-17(8) | 250 | ····-·NIST-800-53-AC-17(8) |
| 251 | ····-·NIST-800-53-CM-7 | 251 | ····-·NIST-800-53-CM-7 |
| 252 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 252 | ····-·NIST-800-171-3.1.13 | 253 | ····-·NIST-800-171-3.1.13 |
| 253 | ····-·NIST-800-171-3.4.7 | 254 | ····-·NIST-800-171-3.4.7 |
| 254 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 255 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36119"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 255 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 256 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 256 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 257 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 257 | as·a·systemd·socket,·should·be·disabled. | 258 | as·a·systemd·socket,·should·be·disabled. |
| 258 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 259 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 259 | If·using·systemd,· | 260 | If·using·systemd,· |
| 260 | ········The·<code>r | 261 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 261 | ········<pre>$·sudo·systemctl·disable·r | 262 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 262 | means·that·data·from·the·login·session,·including·passwords·and | 263 | means·that·data·from·the·login·session,·including·passwords·and |
| 263 | all·other·information·transmitted·during·the·session,·can·be | 264 | all·other·information·transmitted·during·the·session,·can·be |
| 264 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 265 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 265 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 266 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 266 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 267 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36143">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36143"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 267 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 268 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 268 | # | 269 | # |
| 269 | #·Disable·r | 270 | #·Disable·rexec.socket·for·all·systemd·targets |
| 270 | # | 271 | # |
| 271 | systemctl·disable·r | 272 | systemctl·disable·rexec.socket |
| 272 | # | 273 | # |
| 273 | #·Stop·r | 274 | #·Stop·rexec.socket·if·currently·running |
| 274 | # | 275 | # |
| 275 | systemctl·stop·r | 276 | systemctl·stop·rexec.socket |
| 276 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 277 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36144">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36144"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 277 | ··service: | 278 | ··service: |
| 278 | ····name="{{item}}" | 279 | ····name="{{item}}" |
| 279 | ····enabled="no" | 280 | ····enabled="no" |
| 280 | ····state="stopped" | 281 | ····state="stopped" |
| 281 | ··register:·service_result | 282 | ··register:·service_result |
| 282 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 283 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 283 | ··with_items: | 284 | ··with_items: |
| 284 | ····-·r | 285 | ····-·rexec |
| 285 | ··tags: | 286 | ··tags: |
| 286 | ····-·service_r | 287 | ····-·service_rexec_disabled |
| 287 | ····-·high_severity | 288 | ····-·high_severity |
| 288 | ····-·disable_strategy | 289 | ····-·disable_strategy |
| 289 | ····-·low_complexity | 290 | ····-·low_complexity |
| 290 | ····-·low_disruption | 291 | ····-·low_disruption |
| 291 | ····-·CCE-27 | 292 | ····-·CCE-27408-4 |
| 292 | ····-·NIST-800-53-AC-17(8) | 293 | ····-·NIST-800-53-AC-17(8) |
| 293 | ····-·NIST-800-53-CM-7 | 294 | ····-·NIST-800-53-CM-7 |
| 294 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 295 | ····-·NIST-800-171-3.1.13 | 295 | ····-·NIST-800-171-3.1.13 |
| 296 | ····-·NIST-800-171-3.4.7 | 296 | ····-·NIST-800-171-3.4.7 |
| 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36149"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36149"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 299 | the·following·command: | 299 | the·following·command: |
| 300 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 300 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 301 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 301 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| Offset 876, 25 lines modified | Offset 876, 25 lines modified | ||
| 876 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36378">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36378"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 876 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36378">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36378"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 877 | package·--remove=ypserv | 877 | package·--remove=ypserv |
| 878 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 878 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 879 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 879 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 880 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 880 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 881 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 881 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 882 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 882 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 883 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm364 | 883 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36471"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 884 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 884 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 885 | ············ | 885 | ············ |
| 886 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | 886 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 887 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | 887 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 888 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | 888 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, |
| 889 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | 889 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling |
| 890 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | 890 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents |
| 891 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 891 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 892 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 892 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 893 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 893 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36488">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36488"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 894 | # | 894 | # |
| 895 | #·Example·Call(s): | 895 | #·Example·Call(s): |
| 896 | # | 896 | # |
| 897 | #·····service_command·enable·bluetooth | 897 | #·····service_command·enable·bluetooth |
| 898 | #·····service_command·disable·bluetooth.service | 898 | #·····service_command·disable·bluetooth.service |
| 899 | # | 899 | # |
| Max diff block lines reached; 709741/735215 bytes (96.54%) of diff not shown. | |||
| Offset 213, 101 lines modified | Offset 213, 101 lines modified | ||
| 213 | ····-·low_disruption | 213 | ····-·low_disruption |
| 214 | ····-·CCE-27336-7 | 214 | ····-·CCE-27336-7 |
| 215 | ····-·NIST-800-53-AC-17(8) | 215 | ····-·NIST-800-53-AC-17(8) |
| 216 | ····-·NIST-800-53-CM-7 | 216 | ····-·NIST-800-53-CM-7 |
| 217 | ····-·NIST-800-53-IA-5(1)(c) | 217 | ····-·NIST-800-53-IA-5(1)(c) |
| 218 | ····-·NIST-800-171-3.1.13 | 218 | ····-·NIST-800-171-3.1.13 |
| 219 | ····-·NIST-800-171-3.4.7 | 219 | ····-·NIST-800-171-3.4.7 |
| 220 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 220 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36088"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 221 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 221 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 222 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 222 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 223 | as·a·systemd·socket,·should·be·disabled. | 223 | as·a·systemd·socket,·should·be·disabled. |
| 224 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 224 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 225 | If·using·systemd,· | 225 | If·using·systemd,· |
| 226 | ········The·<code>r | 226 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 227 | ········<pre>$·sudo·systemctl·disable·r | 227 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 228 | means·that·data·from·the·login·session,·including·passwords·and | 228 | means·that·data·from·the·login·session,·including·passwords·and |
| 229 | all·other·information·transmitted·during·the·session,·can·be | 229 | all·other·information·transmitted·during·the·session,·can·be |
| 230 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 230 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 231 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 231 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 232 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 232 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36113">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36113"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 233 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 233 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 234 | # | 234 | # |
| 235 | #·Disable·r | 235 | #·Disable·rsh.socket·for·all·systemd·targets |
| 236 | # | 236 | # |
| 237 | systemctl·disable·r | 237 | systemctl·disable·rsh.socket |
| 238 | # | 238 | # |
| 239 | #·Stop·r | 239 | #·Stop·rsh.socket·if·currently·running |
| 240 | # | 240 | # |
| 241 | systemctl·stop·r | 241 | systemctl·stop·rsh.socket |
| 242 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 242 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36114">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36114"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 243 | ··service: | 243 | ··service: |
| 244 | ····name="{{item}}" | 244 | ····name="{{item}}" |
| 245 | ····enabled="no" | 245 | ····enabled="no" |
| 246 | ····state="stopped" | 246 | ····state="stopped" |
| 247 | ··register:·service_result | 247 | ··register:·service_result |
| 248 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 248 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 249 | ··with_items: | 249 | ··with_items: |
| 250 | ····-·r | 250 | ····-·rsh |
| 251 | ··tags: | 251 | ··tags: |
| 252 | ····-·service_r | 252 | ····-·service_rsh_disabled |
| 253 | ····-·high_severity | 253 | ····-·high_severity |
| 254 | ····-·disable_strategy | 254 | ····-·disable_strategy |
| 255 | ····-·low_complexity | 255 | ····-·low_complexity |
| 256 | ····-·low_disruption | 256 | ····-·low_disruption |
| 257 | ····-·CCE-27 | 257 | ····-·CCE-27337-5 |
| 258 | ····-·NIST-800-53-AC-17(8) | 258 | ····-·NIST-800-53-AC-17(8) |
| 259 | ····-·NIST-800-53-CM-7 | 259 | ····-·NIST-800-53-CM-7 |
| 260 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 260 | ····-·NIST-800-171-3.1.13 | 261 | ····-·NIST-800-171-3.1.13 |
| 261 | ····-·NIST-800-171-3.4.7 | 262 | ····-·NIST-800-171-3.4.7 |
| 262 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 263 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36119"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 263 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 264 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 264 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 265 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 265 | as·a·systemd·socket,·should·be·disabled. | 266 | as·a·systemd·socket,·should·be·disabled. |
| 266 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 267 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 267 | If·using·systemd,· | 268 | If·using·systemd,· |
| 268 | ········The·<code>r | 269 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 269 | ········<pre>$·sudo·systemctl·disable·r | 270 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 270 | means·that·data·from·the·login·session,·including·passwords·and | 271 | means·that·data·from·the·login·session,·including·passwords·and |
| 271 | all·other·information·transmitted·during·the·session,·can·be | 272 | all·other·information·transmitted·during·the·session,·can·be |
| 272 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 273 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 273 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 274 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 274 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 275 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36143">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36143"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 275 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 276 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 276 | # | 277 | # |
| 277 | #·Disable·r | 278 | #·Disable·rexec.socket·for·all·systemd·targets |
| 278 | # | 279 | # |
| 279 | systemctl·disable·r | 280 | systemctl·disable·rexec.socket |
| 280 | # | 281 | # |
| 281 | #·Stop·r | 282 | #·Stop·rexec.socket·if·currently·running |
| 282 | # | 283 | # |
| 283 | systemctl·stop·r | 284 | systemctl·stop·rexec.socket |
| 284 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 285 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36144">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36144"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 285 | ··service: | 286 | ··service: |
| 286 | ····name="{{item}}" | 287 | ····name="{{item}}" |
| 287 | ····enabled="no" | 288 | ····enabled="no" |
| 288 | ····state="stopped" | 289 | ····state="stopped" |
| 289 | ··register:·service_result | 290 | ··register:·service_result |
| 290 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 291 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 291 | ··with_items: | 292 | ··with_items: |
| 292 | ····-·r | 293 | ····-·rexec |
| 293 | ··tags: | 294 | ··tags: |
| 294 | ····-·service_r | 295 | ····-·service_rexec_disabled |
| 295 | ····-·high_severity | 296 | ····-·high_severity |
| 296 | ····-·disable_strategy | 297 | ····-·disable_strategy |
| 297 | ····-·low_complexity | 298 | ····-·low_complexity |
| 298 | ····-·low_disruption | 299 | ····-·low_disruption |
| 299 | ····-·CCE-27 | 300 | ····-·CCE-27408-4 |
| 300 | ····-·NIST-800-53-AC-17(8) | 301 | ····-·NIST-800-53-AC-17(8) |
| 301 | ····-·NIST-800-53-CM-7 | 302 | ····-·NIST-800-53-CM-7 |
| 302 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 303 | ····-·NIST-800-171-3.1.13 | 303 | ····-·NIST-800-171-3.1.13 |
| 304 | ····-·NIST-800-171-3.4.7 | 304 | ····-·NIST-800-171-3.4.7 |
| 305 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36149"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 305 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36149"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 306 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 306 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 307 | the·following·command: | 307 | the·following·command: |
| 308 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 308 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 309 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 309 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| Offset 884, 25 lines modified | Offset 884, 25 lines modified | ||
| 884 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36378">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36378"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 884 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36378">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36378"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 885 | package·--remove=ypserv | 885 | package·--remove=ypserv |
| 886 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 886 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 887 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 887 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 888 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 888 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 889 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 889 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 890 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 890 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 891 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm364 | 891 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36471"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 892 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 892 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 893 | ············ | 893 | ············ |
| 894 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | 894 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 895 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | 895 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 896 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | 896 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, |
| 897 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | 897 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling |
| 898 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | 898 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents |
| 899 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 899 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 900 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 900 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 901 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 901 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36488">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36488"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 902 | # | 902 | # |
| 903 | #·Example·Call(s): | 903 | #·Example·Call(s): |
| 904 | # | 904 | # |
| 905 | #·····service_command·enable·bluetooth | 905 | #·····service_command·enable·bluetooth |
| 906 | #·····service_command·disable·bluetooth.service | 906 | #·····service_command·disable·bluetooth.service |
| 907 | # | 907 | # |
| Max diff block lines reached; 1460986/1486460 bytes (98.29%) of diff not shown. | |||
| Offset 224, 101 lines modified | Offset 224, 101 lines modified | ||
| 224 | ····-·low_disruption | 224 | ····-·low_disruption |
| 225 | ····-·CCE-27336-7 | 225 | ····-·CCE-27336-7 |
| 226 | ····-·NIST-800-53-AC-17(8) | 226 | ····-·NIST-800-53-AC-17(8) |
| 227 | ····-·NIST-800-53-CM-7 | 227 | ····-·NIST-800-53-CM-7 |
| 228 | ····-·NIST-800-53-IA-5(1)(c) | 228 | ····-·NIST-800-53-IA-5(1)(c) |
| 229 | ····-·NIST-800-171-3.1.13 | 229 | ····-·NIST-800-171-3.1.13 |
| 230 | ····-·NIST-800-171-3.4.7 | 230 | ····-·NIST-800-171-3.4.7 |
| 231 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 231 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled"·id="guide-tree-leaf-idm36088"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsh_disabled">Disable·rsh·Service |
| 232 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 232 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsh_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·service,·which·is·available·with |
| 233 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 233 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 234 | as·a·systemd·socket,·should·be·disabled. | 234 | as·a·systemd·socket,·should·be·disabled. |
| 235 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 235 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 236 | If·using·systemd,· | 236 | If·using·systemd,· |
| 237 | ········The·<code>r | 237 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 238 | ········<pre>$·sudo·systemctl·disable·r | 238 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rsh·service·uses·unencrypted·network·communications,·which |
| 239 | means·that·data·from·the·login·session,·including·passwords·and | 239 | means·that·data·from·the·login·session,·including·passwords·and |
| 240 | all·other·information·transmitted·during·the·session,·can·be | 240 | all·other·information·transmitted·during·the·session,·can·be |
| 241 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 241 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 242 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 242 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 243 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 243 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36113">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36113"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 244 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 244 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 245 | # | 245 | # |
| 246 | #·Disable·r | 246 | #·Disable·rsh.socket·for·all·systemd·targets |
| 247 | # | 247 | # |
| 248 | systemctl·disable·r | 248 | systemctl·disable·rsh.socket |
| 249 | # | 249 | # |
| 250 | #·Stop·r | 250 | #·Stop·rsh.socket·if·currently·running |
| 251 | # | 251 | # |
| 252 | systemctl·stop·r | 252 | systemctl·stop·rsh.socket |
| 253 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 253 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36114">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36114"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rsh |
| 254 | ··service: | 254 | ··service: |
| 255 | ····name="{{item}}" | 255 | ····name="{{item}}" |
| 256 | ····enabled="no" | 256 | ····enabled="no" |
| 257 | ····state="stopped" | 257 | ····state="stopped" |
| 258 | ··register:·service_result | 258 | ··register:·service_result |
| 259 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 259 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 260 | ··with_items: | 260 | ··with_items: |
| 261 | ····-·r | 261 | ····-·rsh |
| 262 | ··tags: | 262 | ··tags: |
| 263 | ····-·service_r | 263 | ····-·service_rsh_disabled |
| 264 | ····-·high_severity | 264 | ····-·high_severity |
| 265 | ····-·disable_strategy | 265 | ····-·disable_strategy |
| 266 | ····-·low_complexity | 266 | ····-·low_complexity |
| 267 | ····-·low_disruption | 267 | ····-·low_disruption |
| 268 | ····-·CCE-27 | 268 | ····-·CCE-27337-5 |
| 269 | ····-·NIST-800-53-AC-17(8) | 269 | ····-·NIST-800-53-AC-17(8) |
| 270 | ····-·NIST-800-53-CM-7 | 270 | ····-·NIST-800-53-CM-7 |
| 271 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 271 | ····-·NIST-800-171-3.1.13 | 272 | ····-·NIST-800-171-3.1.13 |
| 272 | ····-·NIST-800-171-3.4.7 | 273 | ····-·NIST-800-171-3.4.7 |
| 273 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_r | 274 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36119"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 274 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_r | 275 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 275 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 276 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 276 | as·a·systemd·socket,·should·be·disabled. | 277 | as·a·systemd·socket,·should·be·disabled. |
| 277 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 278 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 278 | If·using·systemd,· | 279 | If·using·systemd,· |
| 279 | ········The·<code>r | 280 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 280 | ········<pre>$·sudo·systemctl·disable·r | 281 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 281 | means·that·data·from·the·login·session,·including·passwords·and | 282 | means·that·data·from·the·login·session,·including·passwords·and |
| 282 | all·other·information·transmitted·during·the·session,·can·be | 283 | all·other·information·transmitted·during·the·session,·can·be |
| 283 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 284 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 284 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 285 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 285 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a> | 286 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36143">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36143"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 286 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 287 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 287 | # | 288 | # |
| 288 | #·Disable·r | 289 | #·Disable·rexec.socket·for·all·systemd·targets |
| 289 | # | 290 | # |
| 290 | systemctl·disable·r | 291 | systemctl·disable·rexec.socket |
| 291 | # | 292 | # |
| 292 | #·Stop·r | 293 | #·Stop·rexec.socket·if·currently·running |
| 293 | # | 294 | # |
| 294 | systemctl·stop·r | 295 | systemctl·stop·rexec.socket |
| 295 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 296 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36144">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36144"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 296 | ··service: | 297 | ··service: |
| 297 | ····name="{{item}}" | 298 | ····name="{{item}}" |
| 298 | ····enabled="no" | 299 | ····enabled="no" |
| 299 | ····state="stopped" | 300 | ····state="stopped" |
| 300 | ··register:·service_result | 301 | ··register:·service_result |
| 301 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 302 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 302 | ··with_items: | 303 | ··with_items: |
| 303 | ····-·r | 304 | ····-·rexec |
| 304 | ··tags: | 305 | ··tags: |
| 305 | ····-·service_r | 306 | ····-·service_rexec_disabled |
| 306 | ····-·high_severity | 307 | ····-·high_severity |
| 307 | ····-·disable_strategy | 308 | ····-·disable_strategy |
| 308 | ····-·low_complexity | 309 | ····-·low_complexity |
| 309 | ····-·low_disruption | 310 | ····-·low_disruption |
| 310 | ····-·CCE-27 | 311 | ····-·CCE-27408-4 |
| 311 | ····-·NIST-800-53-AC-17(8) | 312 | ····-·NIST-800-53-AC-17(8) |
| 312 | ····-·NIST-800-53-CM-7 | 313 | ····-·NIST-800-53-CM-7 |
| 313 | ····-·NIST-800-53-IA-5(1)(c) | ||
| 314 | ····-·NIST-800-171-3.1.13 | 314 | ····-·NIST-800-171-3.1.13 |
| 315 | ····-·NIST-800-171-3.4.7 | 315 | ····-·NIST-800-171-3.4.7 |
| 316 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36149"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 316 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36149"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 317 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 317 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 318 | the·following·command: | 318 | the·following·command: |
| 319 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 319 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 320 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 320 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| Offset 895, 25 lines modified | Offset 895, 25 lines modified | ||
| 895 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36378">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36378"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> | 895 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36378">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36378"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 896 | package·--remove=ypserv | 896 | package·--remove=ypserv |
| 897 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 897 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 898 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 898 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 899 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 899 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 900 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 900 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 901 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 901 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 902 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm364 | 902 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled"·id="guide-tree-leaf-idm36471"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled">Disable·xinetd·Service |
| 903 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 903 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_xinetd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 904 | ············ | 904 | ············ |
| 905 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | 905 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 906 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | 906 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 907 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | 907 | ··········</p><span·class="label·label-primary">Rationale:</span><p>The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, |
| 908 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | 908 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling |
| 909 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | 909 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents |
| 910 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 910 | attacks·against·xinetd·itself.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 911 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 911 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 912 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 912 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000305</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36488">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36488"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 913 | # | 913 | # |
| 914 | #·Example·Call(s): | 914 | #·Example·Call(s): |
| 915 | # | 915 | # |
| 916 | #·····service_command·enable·bluetooth | 916 | #·····service_command·enable·bluetooth |
| 917 | #·····service_command·disable·bluetooth.service | 917 | #·····service_command·disable·bluetooth.service |
| 918 | # | 918 | # |
| Max diff block lines reached; 1460987/1486461 bytes (98.29%) of diff not shown. | |||
| Offset 594, 15 lines modified | Offset 594, 60 lines modified | ||
| 594 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the | 594 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the |
| 595 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features | 595 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features |
| 596 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the | 596 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the |
| 597 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to | 597 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to |
| 598 | a·central·logging·server. | 598 | a·central·logging·server. |
| 599 | This·section·discusses·how·to·configure·rsyslog·for | 599 | This·section·discusses·how·to·configure·rsyslog·for |
| 600 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and | 600 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and |
| 601 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 601 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_log_rotation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_log_rotation">Ensure·All·Logs·are·Rotated·by·<tt>logrotate</tt> |
| 602 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_log_rotation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Edit·the·file·<code>/etc/logrotate.d/syslog</code>.·Find·the·first | ||
| 603 | line,·which·should·look·like·this·(wrapped·for·clarity): | ||
| 604 | <pre>/var/log/messages·/var/log/secure·/var/log/maillog·/var/log/spooler·\ | ||
| 605 | ··/var/log/boot.log·/var/log/cron·{</pre> | ||
| 606 | Edit·this·line·so·that·it·contains·a·one-space-separated | ||
| 607 | listing·of·each·log·file·referenced·in·<code>/etc/rsyslog.conf</code>. | ||
| 608 | <br><br> | ||
| 609 | All·logs·in·use·on·a·system·must·be·rotated·regularly,·or·the | ||
| 610 | log·files·will·consume·disk·space·over·time,·eventually·interfering | ||
| 611 | with·system·operation.·The·file·<code>/etc/logrotate.d/syslog</code>·is·the | ||
| 612 | configuration·file·used·by·the·<code>logrotate</code>·program·to·maintain·all | ||
| 613 | log·files·written·by·<code>syslog</code>.·By·default,·it·rotates·logs·weekly·and | ||
| 614 | stores·four·archival·copies·of·each·log.·These·settings·can·be | ||
| 615 | modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are | ||
| 616 | sufficient·for·purposes·of·this·guide. | ||
| 617 | <br><br> | ||
| 618 | Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job | ||
| 619 | <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be | ||
| 620 | rotated·more·often·than·once·a·day,·some·other·mechanism·must·be | ||
| 621 | used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ensure_logrotate_activated"·id="guide-tree-leaf-idm40588"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_log_rotation"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated">Ensure·Logrotate·Runs·Periodically | ||
| 622 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ensure_logrotate_activated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>logrotate</code>·utility·allows·for·the·automatic·rotation·of· | ||
| 623 | log·files.··The·frequency·of·rotation·is·specified·in·<code>/etc/logrotate.conf</code>,· | ||
| 624 | which·triggers·a·cron·task.··To·configure·logrotate·to·run·daily,·add·or·correct· | ||
| 625 | the·following·line·in·<code>/etc/logrotate.conf</code>: | ||
| 626 | <pre>#·rotate·log·files·<i>frequency</i> | ||
| 627 | daily</pre></p><span·class="label·label-primary">Rationale:</span><p>Log·files·that·are·not·properly·rotated·run·the·risk·of·growing·so·large | ||
| 628 | that·they·fill·up·the·/var/log·partition.·Valuable·logging·information·could·be·lost | ||
| 629 | if·the·/var/log·partition·becomes·full.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 630 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 631 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40600">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40600"><pre><code> | ||
| 632 | LOGROTATE_CONF_FILE="/etc/logrotate.conf" | ||
| 633 | CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" | ||
| 634 | #·daily·rotation·is·configured | ||
| 635 | grep·-q·"^daily$"·$LOGROTATE_CONF_FILE||·echo·"daily"·>>·$LOGROTATE_CONF_FILE | ||
| 636 | #·remove·any·line·configuring·weekly,·monthly·or·yearly·rotation | ||
| 637 | sed·-i·-r·"/^(weekly|monthly|yearly)$/d"·$LOGROTATE_CONF_FILE | ||
| 638 | #·configure·cron.daily·if·not·already | ||
| 639 | if·!·grep·-q·"^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$"·$CRON_DAILY_LOGROTATE_FILE;·then | ||
| 640 | » echo·"#!/bin/sh"·>·$CRON_DAILY_LOGROTATE_FILE | ||
| 641 | » echo·"/usr/sbin/logrotate·$LOGROTATE_CONF_FILE"·>>·$CRON_DAILY_LOGROTATE_FILE | ||
| 642 | fi | ||
| 643 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">Ensure·Proper·Configuration·of·Log·Files | ||
| 602 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·file·<code>/etc/rsyslog.conf</code>·controls·where·log·message·are·written. | 644 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·file·<code>/etc/rsyslog.conf</code>·controls·where·log·message·are·written. |
| 603 | These·are·controlled·by·lines·called·<i>rules</i>,·which·consist·of·a | 645 | These·are·controlled·by·lines·called·<i>rules</i>,·which·consist·of·a |
| 604 | <i>selector</i>·and·an·<i>action</i>. | 646 | <i>selector</i>·and·an·<i>action</i>. |
| 605 | These·rules·are·often·customized·depending·on·the·role·of·the·system,·the | 647 | These·rules·are·often·customized·depending·on·the·role·of·the·system,·the |
| 606 | requirements·of·the·environment,·and·whatever·may·enable | 648 | requirements·of·the·environment,·and·whatever·may·enable |
| 607 | the·administrator·to·most·effectively·make·use·of·log·data. | 649 | the·administrator·to·most·effectively·make·use·of·log·data. |
| 608 | The·default·rules·in·Red·Hat·Enterprise·Linux·7·are: | 650 | The·default·rules·in·Red·Hat·Enterprise·Linux·7·are: |
| Offset 613, 57 lines modified | Offset 658, 29 lines modified | ||
| 613 | *.emerg·················································* | 658 | *.emerg·················································* |
| 614 | uucp,news.crit··········································/var/log/spooler | 659 | uucp,news.crit··········································/var/log/spooler |
| 615 | local7.*················································/var/log/boot.log</pre> | 660 | local7.*················································/var/log/boot.log</pre> |
| 616 | See·the·man·page·<code>rsyslog.conf(5)</code>·for·more·information. | 661 | See·the·man·page·<code>rsyslog.conf(5)</code>·for·more·information. |
| 617 | <i>Note·that·the·<code>rsyslog</code>·daemon·can·be·configured·to·use·a·timestamp·format·that | 662 | <i>Note·that·the·<code>rsyslog</code>·daemon·can·be·configured·to·use·a·timestamp·format·that |
| 618 | some·log·processing·programs·may·not·understand.·If·this·occurs,· | 663 | some·log·processing·programs·may·not·understand.·If·this·occurs,· |
| 619 | edit·the·file·<code>/etc/rsyslog.conf</code>·and·add·or·edit·the·following·line:</i> | 664 | edit·the·file·<code>/etc/rsyslog.conf</code>·and·add·or·edit·the·following·line:</i> |
| 620 | <pre>$·ActionFileDefaultTemplate·RSYSLOG_TraditionalFileFormat</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ | 665 | <pre>$·ActionFileDefaultTemplate·RSYSLOG_TraditionalFileFormat</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·id="guide-tree-leaf-idm40628"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">Ensure·System·Log·Files·Have·Correct·Permissions |
| 621 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·group-owner·of·all·log·files·written·by | ||
| 622 | <code>rsyslog</code>·should·be·root. | ||
| 623 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | ||
| 624 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. | ||
| 625 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | ||
| 626 | run·the·following·command·to·inspect·the·file's·group·owner: | ||
| 627 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | ||
| 628 | If·the·owner·is·not·<code>root</code>,·run·the·following·command·to | ||
| 629 | correct·this: | ||
| 630 | <pre>$·sudo·chgrp·root·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>The·log·files·generated·by·rsyslog·contain·valuable·information·regarding·system | ||
| 631 | configuration,·user·authentication,·and·other·such·information.·Log·files·should·be | ||
| 632 | protected·from·unauthorized·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 633 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 634 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership"·id="guide-tree-leaf-idm40618"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership">Ensure·Log·Files·Are·Owned·By·Appropriate·User | ||
| 635 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_ownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·owner·of·all·log·files·written·by | ||
| 636 | <code>rsyslog</code>·should·be·root. | ||
| 637 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | ||
| 638 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. | ||
| 639 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | ||
| 640 | run·the·following·command·to·inspect·the·file's·owner: | ||
| 641 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | ||
| 642 | If·the·owner·is·not·<code>root</code>,·run·the·following·command·to | ||
| 643 | correct·this: | ||
| 644 | <pre>$·sudo·chown·root·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>The·log·files·generated·by·rsyslog·contain·valuable·information·regarding·system | ||
| 645 | configuration,·user·authentication,·and·other·such·information.·Log·files·should·be | ||
| 646 | protected·from·unauthorized·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 647 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 648 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions"·id="guide-tree-leaf-idm40660"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">Ensure·System·Log·Files·Have·Correct·Permissions | ||
| 649 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·file·permissions·for·all·log·files·written·by | 666 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_rsyslog_files_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·file·permissions·for·all·log·files·written·by |
| 650 | <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive. | 667 | <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive. |
| 651 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | 668 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in |
| 652 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.· | 669 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.· |
| 653 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | 670 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, |
| 654 | run·the·following·command·to·inspect·the·file's·permissions: | 671 | run·the·following·command·to·inspect·the·file's·permissions: |
| 655 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | 672 | <pre>$·ls·-l·<i>LOGFILE</i></pre> |
| 656 | If·the·permissions·are·not·600·or·more·restrictive, | 673 | If·the·permissions·are·not·600·or·more·restrictive, |
| 657 | run·the·following·command·to·correct·this: | 674 | run·the·following·command·to·correct·this: |
| 658 | <pre>$·sudo·chmod·0600·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Log·files·can·contain·valuable·information·regarding·system | 675 | <pre>$·sudo·chmod·0600·<i>LOGFILE</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Log·files·can·contain·valuable·information·regarding·system |
| 659 | configuration.·If·the·system·log·files·are·not·protected·unauthorized | 676 | configuration.·If·the·system·log·files·are·not·protected·unauthorized |
| 660 | users·could·change·the·logged·data,·eliminating·their·forensic·value.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 677 | users·could·change·the·logged·data,·eliminating·their·forensic·value.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 661 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 678 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 662 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.3</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm406 | 679 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.3</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001314</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40646">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40646"><pre><code> |
| 663 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions | 680 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions |
| 664 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf | 681 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf |
| 665 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" | 682 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" |
| 666 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive | 683 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive |
| 667 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) | 684 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) |
| 668 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) | 685 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) |
| 669 | #·Declare·an·array·to·hold·the·final·list·of·different·log·file·paths | 686 | #·Declare·an·array·to·hold·the·final·list·of·different·log·file·paths |
| Offset 708, 84 lines modified | Offset 725, 67 lines modified | ||
| 708 | » #·Also·for·each·log·file·check·if·its·permissions·differ·from·600.·If·so,·correct·them | 725 | » #·Also·for·each·log·file·check·if·its·permissions·differ·from·600.·If·so,·correct·them |
| 709 | » if·[·"$(/usr/bin/stat·-c·%a·"$PATH")"·-ne·600·] | 726 | » if·[·"$(/usr/bin/stat·-c·%a·"$PATH")"·-ne·600·] |
| 710 | » then | 727 | » then |
| 711 | » » /bin/chmod·600·"$PATH" | 728 | » » /bin/chmod·600·"$PATH" |
| 712 | » fi | 729 | » fi |
| 713 | done | 730 | done |
| 714 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_ | 731 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership"·id="guide-tree-leaf-idm40651"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership">Ensure·Log·Files·Are·Owned·By·Appropriate·User |
| Max diff block lines reached; 443005/470399 bytes (94.18%) of diff not shown. | |||
| Offset 1558, 15 lines modified | Offset 1558, 15 lines modified | ||
| 1558 | The·following·recommendations·describe·how·to·strengthen·the | 1558 | The·following·recommendations·describe·how·to·strengthen·the |
| 1559 | default·ruleset·configuration·file.·An·alternative·to·editing·this | 1559 | default·ruleset·configuration·file.·An·alternative·to·editing·this |
| 1560 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to | 1560 | configuration·file·is·to·create·a·shell·script·that·makes·calls·to |
| 1561 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> | 1561 | the·<code>firewall-cmd</code>·program·to·load·in·rules·under·the·<code>/etc/firewalld/services</code> |
| 1562 | and·<code>/etc/firewalld/zones</code>·directories. | 1562 | and·<code>/etc/firewalld/zones</code>·directories. |
| 1563 | <br><br> | 1563 | <br><br> |
| 1564 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address | 1564 | Instructions·apply·to·both·unless·otherwise·noted.·Language·and·address |
| 1565 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm4 | 1565 | conventions·for·regular·firewalld·rules·are·used·throughout·this·section.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone"·id="guide-tree-leaf-idm40865"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">Set·Default·firewalld·Zone·for·Incoming·Packets |
| 1566 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for | 1566 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_set_firewalld_default_zone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·default·zone·to·<code>drop</code>·for |
| 1567 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, | 1567 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, |
| 1568 | modify·the·following·line·in | 1568 | modify·the·following·line·in |
| 1569 | <code>/etc/firewalld/firewalld.conf</code>·to·be: | 1569 | <code>/etc/firewalld/firewalld.conf</code>·to·be: |
| 1570 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all | 1570 | <pre>DefaultZone=drop</pre></p><span·class="label·label-primary">Rationale:</span><p>In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all |
| 1571 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the | 1571 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the |
| 1572 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. | 1572 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. |
| Offset 1631, 24 lines modified | Offset 1631, 24 lines modified | ||
| 1631 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn | 1631 | ldap·ldaps·libvirt·libvirt-tls·mdns·mountd·ms-wbt·mysql·nfs·ntp·openvpn |
| 1632 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind | 1632 | pmcd·pmproxy·pmwebapi·pmwebapis·pop3s·postgresql·proxy-dhcp·radius·rpc-bind |
| 1633 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client | 1633 | samba·samba-client·smtp·ssh·telnet·tftp·tftp-client·transmission-client |
| 1634 | vnc-server·wbem-https | 1634 | vnc-server·wbem-https |
| 1635 | </pre> | 1635 | </pre> |
| 1636 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld | 1636 | Finally·to·view·the·network·zones·that·will·be·active·after·the·next·firewalld |
| 1637 | service·reload,·enter·the·following·command·as·root: | 1637 | service·reload,·enter·the·following·command·as·root: |
| 1638 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm4 | 1638 | <pre>#·firewall-cmd·--get-service·--permanent</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-firewalld"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled"·id="guide-tree-leaf-idm40990"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled">Verify·firewalld·Enabled |
| 1639 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 1639 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 1640 | ·············· | 1640 | ·············· |
| 1641 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: | 1641 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: |
| 1642 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> | 1642 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> |
| 1643 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture | 1643 | ············</p><span·class="label·label-primary">Rationale:</span><p>Access·control·methods·provide·the·ability·to·enhance·system·security·posture |
| 1644 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | 1644 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This |
| 1645 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1645 | prevents·connections·from·unknown·hosts·and·protocols.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1646 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1646 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1647 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1647 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm41004">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41004"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 1648 | # | 1648 | # |
| 1649 | #·Example·Call(s): | 1649 | #·Example·Call(s): |
| 1650 | # | 1650 | # |
| 1651 | #·····service_command·enable·bluetooth | 1651 | #·····service_command·enable·bluetooth |
| 1652 | #·····service_command·disable·bluetooth.service | 1652 | #·····service_command·disable·bluetooth.service |
| 1653 | # | 1653 | # |
| 1654 | #·····Using·xinetd: | 1654 | #·····Using·xinetd: |
| Offset 1716, 15 lines modified | Offset 1716, 15 lines modified | ||
| 1716 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 1716 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 1717 | ··fi | 1717 | ··fi |
| 1718 | fi | 1718 | fi |
| 1719 | } | 1719 | } |
| 1720 | service_command·enable·firewalld | 1720 | service_command·enable·firewalld |
| 1721 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41 | 1721 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm41006">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm41006"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·firewalld |
| 1722 | ··service: | 1722 | ··service: |
| 1723 | ····name="{{item}}" | 1723 | ····name="{{item}}" |
| 1724 | ····enabled="yes" | 1724 | ····enabled="yes" |
| 1725 | ····state="started" | 1725 | ····state="started" |
| 1726 | ··with_items: | 1726 | ··with_items: |
| 1727 | ····-·firewalld | 1727 | ····-·firewalld |
| 1728 | ··tags: | 1728 | ··tags: |
| Offset 2281, 68 lines modified | Offset 2281, 68 lines modified | ||
| 2281 | The·virtual·devices·<code>/dev/console</code> | 2281 | The·virtual·devices·<code>/dev/console</code> |
| 2282 | and·<code>/dev/tty*</code>·represent·the·system·consoles·(accessible·via | 2282 | and·<code>/dev/tty*</code>·represent·the·system·consoles·(accessible·via |
| 2283 | the·Ctrl-Alt-F1·through·Ctrl-Alt-F6·keyboard·sequences·on·a·default | 2283 | the·Ctrl-Alt-F1·through·Ctrl-Alt-F6·keyboard·sequences·on·a·default |
| 2284 | installation).·The·default·securetty·file·also·contains·<code>/dev/vc/*</code>. | 2284 | installation).·The·default·securetty·file·also·contains·<code>/dev/vc/*</code>. |
| 2285 | These·are·likely·to·be·deprecated·in·most·environments,·but·may·be·retained | 2285 | These·are·likely·to·be·deprecated·in·most·environments,·but·may·be·retained |
| 2286 | for·compatibility.·Root·should·also·be·prohibited·from·connecting | 2286 | for·compatibility.·Root·should·also·be·prohibited·from·connecting |
| 2287 | via·network·protocols.·Other·sections·of·this·document | 2287 | via·network·protocols.·Other·sections·of·this·document |
| 2288 | include·guidance·describing·how·to·prevent·root·from·logging·in·via·SSH.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 2288 | include·guidance·describing·how·to·prevent·root·from·logging·in·via·SSH.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero"·id="guide-tree-leaf-idm50794"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_root_logins"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero">Verify·Only·Root·Has·UID·0 |
| 2289 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·any·account·other·than·root·has·a·UID·of·0,·this·misconfiguration·should· | ||
| 2290 | be·investigated·and·the·accounts·other·than·root·should·be·removed·or· | ||
| 2291 | have·their·UID·changed. | ||
| 2292 | <br> | ||
| 2293 | If·the·account·is·associated·with·system·commands·or·applications·the·UID·should·be·changed | ||
| 2294 | to·one·greater·than·"0"·but·less·than·"1000."·Otherwise·assign·a·UID·greater·than·"1000"·that | ||
| 2295 | has·not·already·been·assigned.</p><span·class="label·label-primary">Rationale:</span><p>An·account·has·root·authority·if·it·has·a·UID·of·0.·Multiple·accounts | ||
| 2296 | with·a·UID·of·0·afford·more·opportunity·for·potential·intruders·to | ||
| 2297 | guess·a·password·for·a·privileged·account.·Proper·configuration·of | ||
| 2298 | sudo·is·recommended·to·afford·multiple·system·administrators | ||
| 2299 | access·to·root·privileges·in·an·accountable·manner.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 2300 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 2301 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86629r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm50808">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm50808"><pre><code>awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | ||
| 2302 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts"·id="guide-tree-leaf-idm50859"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_root_logins"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts">Ensure·that·System·Accounts·Do·Not·Run·a·Shell·Upon·Login | ||
| 2289 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Some·accounts·are·not·associated·with·a·human·user·of·the·system,·and·exist·to | 2303 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Some·accounts·are·not·associated·with·a·human·user·of·the·system,·and·exist·to |
| 2290 | perform·some·administrative·function.·Should·an·attacker·be·able·to·log·into | 2304 | perform·some·administrative·function.·Should·an·attacker·be·able·to·log·into |
| 2291 | these·accounts,·they·should·not·be·granted·access·to·a·shell. | 2305 | these·accounts,·they·should·not·be·granted·access·to·a·shell. |
| 2292 | <br><br> | 2306 | <br><br> |
| 2293 | The·login·shell·for·each·local·account·is·stored·in·the·last·field·of·each·line | 2307 | The·login·shell·for·each·local·account·is·stored·in·the·last·field·of·each·line |
| 2294 | in·<code>/etc/passwd</code>.·System·accounts·are·those·user·accounts·with·a·user·ID | 2308 | in·<code>/etc/passwd</code>.·System·accounts·are·those·user·accounts·with·a·user·ID |
| 2295 | less·than·UID_MIN,·where·value·of·UID_MIN·directive·is·set·in | 2309 | less·than·UID_MIN,·where·value·of·UID_MIN·directive·is·set·in |
| 2296 | /etc/login.defs·configuration·file.·In·the·default·configuration·UID_MIN·is·set | 2310 | /etc/login.defs·configuration·file.·In·the·default·configuration·UID_MIN·is·set |
| 2297 | to·1000,·thus·system·accounts·are·those·user·accounts·with·a·user·ID·less·than | 2311 | to·1000,·thus·system·accounts·are·those·user·accounts·with·a·user·ID·less·than |
| 2298 | 1000.·The·user·ID·is·stored·in·the·third·field.·If·any·system·account | 2312 | 1000.·The·user·ID·is·stored·in·the·third·field.·If·any·system·account |
| 2299 | <i>SYSACCT</i>·(other·than·root)·has·a·login·shell,·disable·it·with·the | 2313 | <i>SYSACCT</i>·(other·than·root)·has·a·login·shell,·disable·it·with·the |
| 2300 | command:·<pre>$·sudo·usermod·-s·/sbin/nologin·<i>SYSACCT</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Ensuring·shells·are·not·given·to·system·accounts·upon·login·makes·it·more | 2314 | command:·<pre>$·sudo·usermod·-s·/sbin/nologin·<i>SYSACCT</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Ensuring·shells·are·not·given·to·system·accounts·upon·login·makes·it·more |
| 2301 | difficult·for·attackers·to·make·use·of·system·accounts.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 2315 | difficult·for·attackers·to·make·use·of·system·accounts.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 2302 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 2316 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 2303 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.4.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_r | 2317 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.4.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_password_storage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_password_storage">Verify·Proper·Storage·and·Existence·of·Password |
| 2304 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·any·account·other·than·root·has·a·UID·of·0,·this·misconfiguration·should· | ||
| 2305 | be·investigated·and·the·accounts·other·than·root·should·be·removed·or· | ||
| 2306 | have·their·UID·changed. | ||
| 2307 | <br> | ||
| 2308 | If·the·account·is·associated·with·system·commands·or·applications·the·UID·should·be·changed | ||
| 2309 | to·one·greater·than·"0"·but·less·than·"1000."·Otherwise·assign·a·UID·greater·than·"1000"·that | ||
| 2310 | has·not·already·been·assigned.</p><span·class="label·label-primary">Rationale:</span><p>An·account·has·root·authority·if·it·has·a·UID·of·0.·Multiple·accounts | ||
| 2311 | with·a·UID·of·0·afford·more·opportunity·for·potential·intruders·to | ||
| 2312 | guess·a·password·for·a·privileged·account.·Proper·configuration·of | ||
| 2313 | sudo·is·recommended·to·afford·multiple·system·administrators | ||
| 2314 | access·to·root·privileges·in·an·accountable·manner.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 2315 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 2316 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86629r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm50924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm50924"><pre><code>awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | ||
| 2317 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_password_storage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_password_storage">Verify·Proper·Storage·and·Existence·of·Password | ||
| 2318 | Hashes | 2318 | Hashes |
| 2319 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_password_storage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·password·hashes·for·local·accounts·are·stored | 2319 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_password_storage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·password·hashes·for·local·accounts·are·stored |
| 2320 | in·the·second·field·(colon-separated)·in | 2320 | in·the·second·field·(colon-separated)·in |
| 2321 | <code>/etc/shadow</code>.·This·file·should·be·readable·only·by | 2321 | <code>/etc/shadow</code>.·This·file·should·be·readable·only·by |
| 2322 | processes·running·with·root·credentials,·preventing·users·from | 2322 | processes·running·with·root·credentials,·preventing·users·from |
| 2323 | casually·accessing·others'·password·hashes·and·attempting | 2323 | casually·accessing·others'·password·hashes·and·attempting |
| 2324 | to·crack·them. | 2324 | to·crack·them. |
| 2325 | However,·it·remains·possible·to·misconfigure·the·system | 2325 | However,·it·remains·possible·to·misconfigure·the·system |
| 2326 | and·store·password·hashes | 2326 | and·store·password·hashes |
| 2327 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or | 2327 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or |
| 2328 | to·even·store·passwords·themselves·in·plaintext·on·the·system. | 2328 | to·even·store·passwords·themselves·in·plaintext·on·the·system. |
| 2329 | Using·system-provided·tools·for·password·change/creation | 2329 | Using·system-provided·tools·for·password·change/creation |
| 2330 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm5 | 2330 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm50948"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_no_empty_passwords">Prevent·Log·In·to·Accounts·With·Empty·Password |
| 2331 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication | 2331 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication |
| 2332 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log | 2332 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log |
| 2333 | into·the·account·without·authentication.·Remove·any·instances·of·the·<code>nullok</code> | 2333 | into·the·account·without·authentication.·Remove·any·instances·of·the·<code>nullok</code> |
| 2334 | option·in·<code>/etc/pam.d/system-auth</code>·to | 2334 | option·in·<code>/etc/pam.d/system-auth</code>·to |
| 2335 | prevent·logins·with·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>If·an·account·has·an·empty·password,·anyone·could·log·in·and | 2335 | prevent·logins·with·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>If·an·account·has·an·empty·password,·anyone·could·log·in·and |
| 2336 | run·commands·with·the·privileges·of·that·account.·Accounts·with | 2336 | run·commands·with·the·privileges·of·that·account.·Accounts·with |
| Max diff block lines reached; 97631/120611 bytes (80.95%) of diff not shown. | |||
| Offset 732, 22 lines modified | Offset 732, 22 lines modified | ||
| 732 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the | 732 | In·Red·Hat·Enterprise·Linux·7,·rsyslog·has·replaced·ksyslogd·as·the |
| 733 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features | 733 | syslog·daemon·of·choice,·and·it·includes·some·additional·security·features |
| 734 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the | 734 | such·as·reliable,·connection-oriented·(i.e.·TCP)·transmission·of·logs,·the |
| 735 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to | 735 | option·to·log·to·database·formats,·and·the·encryption·of·log·data·en·route·to |
| 736 | a·central·logging·server. | 736 | a·central·logging·server. |
| 737 | This·section·discusses·how·to·configure·rsyslog·for | 737 | This·section·discusses·how·to·configure·rsyslog·for |
| 738 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and | 738 | best·effect,·and·how·to·use·tools·provided·with·the·system·to·maintain·and |
| 739 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·id="guide-tree-leaf-idm4078 | 739 | monitor·logs.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·id="guide-tree-leaf-idm40788"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">Enable·rsyslog·Service |
| 740 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsyslog</code>·service·provides·syslog-style·logging·by·default·on·Red·Hat·Enterprise·Linux·7. | 740 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsyslog</code>·service·provides·syslog-style·logging·by·default·on·Red·Hat·Enterprise·Linux·7. |
| 741 | ········The·<code>rsyslog</code>·service·can·be·enabled·with·the·following·command: | 741 | ········The·<code>rsyslog</code>·service·can·be·enabled·with·the·following·command: |
| 742 | ········<pre>$·sudo·systemctl·enable·rsyslog.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsyslog</code>·service·must·be·running·in·order·to·provide | 742 | ········<pre>$·sudo·systemctl·enable·rsyslog.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsyslog</code>·service·must·be·running·in·order·to·provide |
| 743 | logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 743 | logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 744 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 744 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 745 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.12.3.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4080 | 745 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.12.3.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40807">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40807"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 746 | # | 746 | # |
| 747 | #·Example·Call(s): | 747 | #·Example·Call(s): |
| 748 | # | 748 | # |
| 749 | #·····service_command·enable·bluetooth | 749 | #·····service_command·enable·bluetooth |
| 750 | #·····service_command·disable·bluetooth.service | 750 | #·····service_command·disable·bluetooth.service |
| 751 | # | 751 | # |
| 752 | #·····Using·xinetd: | 752 | #·····Using·xinetd: |
| Offset 815, 15 lines modified | Offset 815, 15 lines modified | ||
| 815 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 815 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 816 | ··fi | 816 | ··fi |
| 817 | fi | 817 | fi |
| 818 | } | 818 | } |
| 819 | service_command·enable·rsyslog | 819 | service_command·enable·rsyslog |
| 820 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4080 | 820 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm40809">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40809"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·rsyslog |
| 821 | ··service: | 821 | ··service: |
| 822 | ····name="{{item}}" | 822 | ····name="{{item}}" |
| 823 | ····enabled="yes" | 823 | ····enabled="yes" |
| 824 | ····state="started" | 824 | ····state="started" |
| 825 | ··with_items: | 825 | ··with_items: |
| 826 | ····-·rsyslog | 826 | ····-·rsyslog |
| 827 | ··tags: | 827 | ··tags: |
| Offset 929, 26 lines modified | Offset 929, 26 lines modified | ||
| 929 | casually·accessing·others'·password·hashes·and·attempting | 929 | casually·accessing·others'·password·hashes·and·attempting |
| 930 | to·crack·them. | 930 | to·crack·them. |
| 931 | However,·it·remains·possible·to·misconfigure·the·system | 931 | However,·it·remains·possible·to·misconfigure·the·system |
| 932 | and·store·password·hashes | 932 | and·store·password·hashes |
| 933 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or | 933 | in·world-readable·files·such·as·<code>/etc/passwd</code>,·or |
| 934 | to·even·store·passwords·themselves·in·plaintext·on·the·system. | 934 | to·even·store·passwords·themselves·in·plaintext·on·the·system. |
| 935 | Using·system-provided·tools·for·password·change/creation | 935 | Using·system-provided·tools·for·password·change/creation |
| 936 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm5 | 936 | should·allow·administrators·to·avoid·such·misconfiguration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords"·id="guide-tree-leaf-idm50948"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_no_empty_passwords">Prevent·Log·In·to·Accounts·With·Empty·Password |
| 937 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication | 937 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·an·account·is·configured·for·password·authentication |
| 938 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log | 938 | but·does·not·have·an·assigned·password,·it·may·be·possible·to·log |
| 939 | into·the·account·without·authentication.·Remove·any·instances·of·the·<code>nullok</code> | 939 | into·the·account·without·authentication.·Remove·any·instances·of·the·<code>nullok</code> |
| 940 | option·in·<code>/etc/pam.d/system-auth</code>·to | 940 | option·in·<code>/etc/pam.d/system-auth</code>·to |
| 941 | prevent·logins·with·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>If·an·account·has·an·empty·password,·anyone·could·log·in·and | 941 | prevent·logins·with·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>If·an·account·has·an·empty·password,·anyone·could·log·in·and |
| 942 | run·commands·with·the·privileges·of·that·account.·Accounts·with | 942 | run·commands·with·the·privileges·of·that·account.·Accounts·with |
| 943 | empty·passwords·should·never·be·used·in·operational·environments.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 943 | empty·passwords·should·never·be·used·in·operational·environments.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 944 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 944 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 945 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86561r2_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm5 | 945 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86561r2_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm50977">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm50977"><pre><code>sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth |
| 946 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | 946 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth |
| 947 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm5 | 947 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm50978">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm50978"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" |
| 948 | ··replace: | 948 | ··replace: |
| 949 | ····dest:·/etc/pam.d/system-auth | 949 | ····dest:·/etc/pam.d/system-auth |
| 950 | ····follow:·yes | 950 | ····follow:·yes |
| 951 | ····regexp:·'nullok' | 951 | ····regexp:·'nullok' |
| 952 | ··tags: | 952 | ··tags: |
| 953 | ····-·no_empty_passwords | 953 | ····-·no_empty_passwords |
| 954 | ····-·high_severity | 954 | ····-·high_severity |
| Offset 1141, 158 lines modified | Offset 1141, 30 lines modified | ||
| 1141 | <pre>$·sudo·chmod·+t·<i>DIR</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Failing·to·set·the·sticky·bit·on·public·directories·allows·unauthorized·users·to·delete·files·in·the·directory·structure. | 1141 | <pre>$·sudo·chmod·+t·<i>DIR</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Failing·to·set·the·sticky·bit·on·public·directories·allows·unauthorized·users·to·delete·files·in·the·directory·structure. |
| 1142 | <br><br> | 1142 | <br><br> |
| 1143 | The·only·authorized·public·directories·are·those·temporary·directories·supplied·with·the·system,· | 1143 | The·only·authorized·public·directories·are·those·temporary·directories·supplied·with·the·system,· |
| 1144 | or·those·designed·to·be·temporary·file·repositories.··The·setting·is·normally·reserved·for·directories· | 1144 | or·those·designed·to·be·temporary·file·repositories.··The·setting·is·normally·reserved·for·directories· |
| 1145 | used·by·the·system,·by·users·for·temporary·file·storage·(such·as·<code>/tmp</code>),·and·for·directories· | 1145 | used·by·the·system,·by·users·for·temporary·file·storage·(such·as·<code>/tmp</code>),·and·for·directories· |
| 1146 | requiring·global·read/write·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1146 | requiring·global·read/write·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1147 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1147 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1148 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.21</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 1148 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.21</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_partitions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_partitions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_partitions">Restrict·Partition·Mount·Options |
| 1149 | Filesystems | ||
| 1150 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mounting">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Linux·includes·a·number·of·facilities·for·the·automated·addition | ||
| 1151 | and·removal·of·filesystems·on·a·running·system.··These·facilities·may·be | ||
| 1152 | necessary·in·many·environments,·but·this·capability·also·carries·some·risk·--·whether·direct | ||
| 1153 | risk·from·allowing·users·to·introduce·arbitrary·filesystems, | ||
| 1154 | or·risk·that·software·flaws·in·the·automated·mount·facility·itself·could | ||
| 1155 | allow·an·attacker·to·compromise·the·system. | ||
| 1156 | <br><br> | ||
| 1157 | This·command·can·be·used·to·list·the·types·of·filesystems·that·are | ||
| 1158 | available·to·the·currently·executing·kernel: | ||
| 1159 | <pre>$·find·/lib/modules/`uname·-r`/kernel/fs·-type·f·-name·'*.ko'</pre> | ||
| 1160 | If·these·filesystems·are·not·required·then·they·can·be·explicitly·disabled | ||
| 1161 | in·a·configuratio·file·in··<code>/etc/modprobe.d</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mounting"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_autofs_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_autofs_disabled"·id="guide-tree-leaf-idm53437"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mounting"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_autofs_disabled">Disable·the·Automounter | ||
| 1162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_autofs_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>autofs</code>·daemon·mounts·and·unmounts·filesystems,·such·as·user | ||
| 1163 | home·directories·shared·via·NFS,·on·demand.·In·addition,·autofs·can·be·used·to·handle | ||
| 1164 | removable·media,·and·the·default·configuration·provides·the·cdrom·device·as·<code>/misc/cd</code>. | ||
| 1165 | However,·this·method·of·providing·access·to·removable·media·is·not·common,·so·autofs | ||
| 1166 | can·almost·always·be·disabled·if·NFS·is·not·in·use.·Even·if·NFS·is·required,·it·may·be | ||
| 1167 | possible·to·configure·filesystem·mounts·statically·by·editing·<code>/etc/fstab</code> | ||
| 1168 | rather·than·relying·on·the·automounter. | ||
| 1169 | <br><br> | ||
| 1170 | ········The·<code>autofs</code>·service·can·be·disabled·with·the·following·command: | ||
| 1171 | ········<pre>$·sudo·systemctl·disable·autofs.service</pre></p><span·class="label·label-primary">Rationale:</span><p>Disabling·the·automounter·permits·the·administrator·to | ||
| 1172 | statically·control·filesystem·mounting·through·<code>/etc/fstab</code>. | ||
| 1173 | <br><br> | ||
| 1174 | Additionally,·automatically·mounting·filesystems·permits·easy·introduction·of | ||
| 1175 | unknown·devices,·thereby·facilitating·malicious·activity.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 1176 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 1177 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86609r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.22</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000778</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001958</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000114-GPOS-00059</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000378-GPOS-00163</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm53471">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm53471"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 1178 | # | ||
| 1179 | #·Example·Call(s): | ||
| 1180 | # | ||
| 1181 | #·····service_command·enable·bluetooth | ||
| 1182 | #·····service_command·disable·bluetooth.service | ||
| 1183 | # | ||
| 1184 | #·····Using·xinetd: | ||
| 1185 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 1186 | # | ||
| 1187 | function·service_command·{ | ||
| 1188 | #·Load·function·arguments·into·local·variables | ||
| 1189 | local·service_state=$1 | ||
| 1190 | local·service=$2 | ||
| 1191 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 1192 | #·Check·sanity·of·the·input | ||
| 1193 | if·[·$#·-lt·"2"·] | ||
| 1194 | then | ||
| 1195 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 1196 | ··echo | ||
| 1197 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 1198 | ··echo·"as·the·last·argument"·· | ||
| Max diff block lines reached; 289631/317958 bytes (91.09%) of diff not shown. | |||
| Offset 92, 54 lines modified | Offset 92, 54 lines modified | ||
| 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 98 | allow·cleartext·remote·access·and·have·an·insecure·trust | 98 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm360 | 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36060"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files |
| 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts | ||
| 101 | and·users·that·are·trusted·by·the·local·system. | ||
| 102 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | ||
| 103 | location: | ||
| 104 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the | ||
| 105 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing | ||
| 106 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive | ||
| 107 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of | ||
| 108 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 109 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36099">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36099"><pre><code> | ||
| 111 | #·Identify·local·mounts | ||
| 112 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | ||
| 113 | #·Find·file·on·each·listed·mount·point | ||
| 114 | for·cur_mount·in·${MOUNT_LIST} | ||
| 115 | do | ||
| 116 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; | ||
| 117 | done | ||
| 118 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36135"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files | ||
| 119 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files | 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files |
| 120 | list·remote·hosts·and·users·that·are·trusted·by·the | 101 | list·remote·hosts·and·users·that·are·trusted·by·the |
| 121 | local·system.·To·remove·these·files,·run·the·following·command | 102 | local·system.·To·remove·these·files,·run·the·following·command |
| 122 | to·delete·them·from·any·location: | 103 | to·delete·them·from·any·location: |
| 123 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for | 104 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for |
| 124 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not | 105 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not |
| 125 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not | 106 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not |
| 126 | require·interactive·identification·and·authentication·of·a·connection·request, | 107 | require·interactive·identification·and·authentication·of·a·connection·request, |
| 127 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 108 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 109 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 129 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36069">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36069"><pre><code> |
| 130 | #·Identify·local·mounts | 111 | #·Identify·local·mounts |
| 131 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 112 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 132 | #·Find·file·on·each·listed·mount·point | 113 | #·Find·file·on·each·listed·mount·point |
| 133 | for·cur_mount·in·${MOUNT_LIST} | 114 | for·cur_mount·in·${MOUNT_LIST} |
| 134 | do | 115 | do |
| 135 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; | 116 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; |
| 136 | done | 117 | done |
| 118 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36074"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files | ||
| 119 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts | ||
| 120 | and·users·that·are·trusted·by·the·local·system. | ||
| 121 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | ||
| 122 | location: | ||
| 123 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the | ||
| 124 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing | ||
| 125 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive | ||
| 126 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of | ||
| 127 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 129 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36083">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36083"><pre><code> | ||
| 130 | #·Identify·local·mounts | ||
| 131 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | ||
| 132 | #·Find·file·on·each·listed·mount·point | ||
| 133 | for·cur_mount·in·${MOUNT_LIST} | ||
| 134 | do | ||
| 135 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; | ||
| 136 | done | ||
| 137 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36149"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package | 137 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36149"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 138 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 138 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 139 | the·following·command: | 139 | the·following·command: |
| 140 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 140 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 141 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 141 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| 142 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password | 142 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password |
| 143 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure | 143 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure |
| Offset 371, 36 lines modified | Offset 371, 27 lines modified | ||
| 371 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_tftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_tftp">TFTP·Server | 371 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_tftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_tftp">TFTP·Server |
| 372 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_tftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TFTP·is·a·lightweight·version·of·the·FTP·protocol·which·has | 372 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_tftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TFTP·is·a·lightweight·version·of·the·FTP·protocol·which·has |
| 373 | traditionally·been·used·to·configure·networking·equipment.·However, | 373 | traditionally·been·used·to·configure·networking·equipment.·However, |
| 374 | TFTP·provides·little·security,·and·modern·versions·of·networking | 374 | TFTP·provides·little·security,·and·modern·versions·of·networking |
| 375 | operating·systems·frequently·support·configuration·via·SSH·or·other | 375 | operating·systems·frequently·support·configuration·via·SSH·or·other |
| 376 | more·secure·protocols.·A·TFTP·server·should·be·run·only·if·no·more | 376 | more·secure·protocols.·A·TFTP·server·should·be·run·only·if·no·more |
| 377 | secure·method·of·supporting·existing·equipment·can·be | 377 | secure·method·of·supporting·existing·equipment·can·be |
| 378 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_tftp | 378 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·id="guide-tree-leaf-idm36420"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_tftp"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed">Uninstall·tftp-server·Package |
| 379 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | ||
| 380 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | ||
| 381 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | ||
| 382 | the·following·example·(which·is·also·the·default): | ||
| 383 | <pre>server_args·=·-s·/var/lib/tftpboot</pre></p><span·class="label·label-primary">Rationale:</span><p>Using·the·<code>-s</code>·option·causes·the·TFTP·service·to·only·serve·files·from·the | ||
| 384 | given·directory.·Serving·files·from·an·intentionally-specified·directory | ||
| 385 | reduces·the·risk·of·sharing·files·which·should·remain·private.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 386 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 387 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86929r2_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed"·id="guide-tree-leaf-idm36439"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_tftp"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed">Uninstall·tftp-server·Package | ||
| 388 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_tftp-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 379 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_tftp-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 389 | ············ | 380 | ············ |
| 390 | ········The·<code>tftp-server</code>·package·can·be·removed·with·the·following·command: | 381 | ········The·<code>tftp-server</code>·package·can·be·removed·with·the·following·command: |
| 391 | ········<pre>$·sudo·yum·erase·tftp-server</pre> | 382 | ········<pre>$·sudo·yum·erase·tftp-server</pre> |
| 392 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·<code>tftp-server</code>·package·decreases·the·risk·of·the | 383 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·<code>tftp-server</code>·package·decreases·the·risk·of·the |
| 393 | accidental·(or·intentional)·activation·of·tftp·services. | 384 | accidental·(or·intentional)·activation·of·tftp·services. |
| 394 | <br><br> | 385 | <br><br> |
| 395 | If·TFTP·is·required·for·operational·support·(such·as·transmission·of·router·configurations), | 386 | If·TFTP·is·required·for·operational·support·(such·as·transmission·of·router·configurations), |
| 396 | its·use·must·be·documented·with·the·Information·Systems·Securty·Manager·(ISSM),·restricted·to· | 387 | its·use·must·be·documented·with·the·Information·Systems·Securty·Manager·(ISSM),·restricted·to· |
| 397 | only·authorized·personnel,·and·have·access·control·rules·established.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 388 | only·authorized·personnel,·and·have·access·control·rules·established.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 398 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 389 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 399 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86925r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm364 | 390 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86925r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36439">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36439"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 400 | # | 391 | # |
| 401 | #·Example·Call(s): | 392 | #·Example·Call(s): |
| 402 | # | 393 | # |
| 403 | #·····package_remove·telnet-server | 394 | #·····package_remove·telnet-server |
| 404 | # | 395 | # |
| 405 | function·package_remove·{ | 396 | function·package_remove·{ |
| Offset 430, 15 lines modified | Offset 421, 15 lines modified | ||
| 430 | ··echo·"Aborting." | 421 | ··echo·"Aborting." |
| 431 | ··exit·1 | 422 | ··exit·1 |
| 432 | fi | 423 | fi |
| 433 | } | 424 | } |
| 434 | package_remove·tftp-server | 425 | package_remove·tftp-server |
| 435 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm364 | 426 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36441">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36441"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·tftp-server·is·removed |
| 436 | ··package: | 427 | ··package: |
| 437 | ····name="{{item}}" | 428 | ····name="{{item}}" |
| 438 | ····state=absent | 429 | ····state=absent |
| 439 | ··with_items: | 430 | ··with_items: |
| 440 | ····-·tftp-server | 431 | ····-·tftp-server |
| 441 | ··tags: | 432 | ··tags: |
| 442 | ····-·package_tftp-server_removed | 433 | ····-·package_tftp-server_removed |
| Max diff block lines reached; 880678/900717 bytes (97.78%) of diff not shown. | |||
| Offset 78, 14 lines modified | Offset 78, 31 lines modified | ||
| 78 | ········<pre·xml:space="preserve">-A·INPUT·-m·state·--state·NEW·-p·tcp·--dport·21·-j·ACCEPT</pre> | 78 | ········<pre·xml:space="preserve">-A·INPUT·-m·state·--state·NEW·-p·tcp·--dport·21·-j·ACCEPT</pre> |
| 79 | Edit·the·file·<code>/etc/sysconfig/iptables-config</code>.·Ensure·that·the·space-separated·list·of·modules·contains | 79 | Edit·the·file·<code>/etc/sysconfig/iptables-config</code>.·Ensure·that·the·space-separated·list·of·modules·contains |
| 80 | the·FTP·connection·tracking·module: | 80 | the·FTP·connection·tracking·module: |
| 81 | <pre>IPTABLES_MODULES="ip_conntrack_ftp"</pre> | 81 | <pre>IPTABLES_MODULES="ip_conntrack_ftp"</pre> |
| 82 | </td> | 82 | </td> |
| 83 | </tr> | 83 | </tr> |
| 84 | <tr> | 84 | <tr> |
| 85 | <td>CCE-27145-2</td> | ||
| 86 | <td>Create·Warning·Banners·for·All·FTP·Users</td> | ||
| 87 | <td·xml:lang="en-US">Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 88 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 89 | <pre>banner_file=/etc/issue</pre> | ||
| 90 | </td> | ||
| 91 | </tr> | ||
| 92 | <tr> | ||
| 93 | <td>CCE-27117-1</td> | ||
| 94 | <td>Disable·FTP·Uploads·if·Possible</td> | ||
| 95 | <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, | ||
| 96 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | ||
| 97 | <pre>write_enable=NO</pre> | ||
| 98 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | ||
| 99 | as·much·as·possible.</td> | ||
| 100 | </tr> | ||
| 101 | <tr> | ||
| 85 | <td>CCE-27411-8</td> | 102 | <td>CCE-27411-8</td> |
| 86 | <td>Place·the·FTP·Home·Directory·on·its·Own·Partition</td> | 103 | <td>Place·the·FTP·Home·Directory·on·its·Own·Partition</td> |
| 87 | <td·xml:lang="en-US">By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can | 104 | <td·xml:lang="en-US">By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can |
| 88 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</td> | 105 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</td> |
| 89 | </tr> | 106 | </tr> |
| 90 | <tr> | 107 | <tr> |
| 91 | <td>CCE-27142-9</td> | 108 | <td>CCE-27142-9</td> |
| Offset 94, 31 lines modified | Offset 111, 14 lines modified | ||
| 94 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | 111 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: |
| 95 | <pre>xferlog_enable=YES | 112 | <pre>xferlog_enable=YES |
| 96 | xferlog_std_format=NO | 113 | xferlog_std_format=NO |
| 97 | log_ftp_protocol=YES</pre> | 114 | log_ftp_protocol=YES</pre> |
| 98 | </td> | 115 | </td> |
| 99 | </tr> | 116 | </tr> |
| 100 | <tr> | 117 | <tr> |
| 101 | <td>CCE-27117-1</td> | ||
| 102 | <td>Disable·FTP·Uploads·if·Possible</td> | ||
| 103 | <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, | ||
| 104 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | ||
| 105 | <pre>write_enable=NO</pre> | ||
| 106 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | ||
| 107 | as·much·as·possible.</td> | ||
| 108 | </tr> | ||
| 109 | <tr> | ||
| 110 | <td>CCE-27145-2</td> | ||
| 111 | <td>Create·Warning·Banners·for·All·FTP·Users</td> | ||
| 112 | <td·xml:lang="en-US">Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 113 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 114 | <pre>banner_file=/etc/issue</pre> | ||
| 115 | </td> | ||
| 116 | </tr> | ||
| 117 | <tr> | ||
| 118 | <td>CCE-27187-4</td> | 118 | <td>CCE-27187-4</td> |
| 119 | <td>Install·vsftpd·Package</td> | 119 | <td>Install·vsftpd·Package</td> |
| 120 | <td·xml:lang="en-US">If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. | 120 | <td·xml:lang="en-US">If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. |
| 121 | <pre>$·sudo·yum·install·vsftpd</pre> | 121 | <pre>$·sudo·yum·install·vsftpd</pre> |
| 122 | </td> | 122 | </td> |
| 123 | </tr> | 123 | </tr> |
| 124 | <tr> | 124 | <tr> |
| Offset 285, 20 lines modified | Offset 285, 20 lines modified | ||
| 285 | <br><br> | 285 | <br><br> |
| 286 | If·this·functionality·is·unnecessary,·comment·out·the·module: | 286 | If·this·functionality·is·unnecessary,·comment·out·the·module: |
| 287 | <pre>#LoadModule·cgi_module·modules/mod_cgi.so</pre> | 287 | <pre>#LoadModule·cgi_module·modules/mod_cgi.so</pre> |
| 288 | If·the·web·server·requires·the·use·of·CGI,·enable·<code>mod_cgi</code>.</td> | 288 | If·the·web·server·requires·the·use·of·CGI,·enable·<code>mod_cgi</code>.</td> |
| 289 | </tr> | 289 | </tr> |
| 290 | <tr> | 290 | <tr> |
| 291 | <td>CCE-27 | 291 | <td>CCE-27553-7</td> |
| 292 | <td>Disable· | 292 | <td>Disable·HTTP·Digest·Authentication</td> |
| 293 | <td·xml:lang="en-US">The·<code> | 293 | <td·xml:lang="en-US">The·<code>auth_digest</code>·module·provides·encrypted·authentication·sessions. |
| 294 | 294 | If·this·functionality·is·unnecessary,·comment·out·the·related·module: | |
| 295 | <pre>#LoadModule· | 295 | <pre>#LoadModule·auth_digest_module·modules/mod_auth_digest.so</pre> |
| 296 | 296 | </td> | |
| 297 | </tr> | 297 | </tr> |
| 298 | <tr> | 298 | <tr> |
| 299 | <td>CCE-27468-8</td> | 299 | <td>CCE-27468-8</td> |
| 300 | <td>Disable·Server·Activity·Status</td> | 300 | <td>Disable·Server·Activity·Status</td> |
| 301 | <td·xml:lang="en-US">The·<code>status</code>·module·provides·real-time·access·to·statistics·on·the·internal·operation·of | 301 | <td·xml:lang="en-US">The·<code>status</code>·module·provides·real-time·access·to·statistics·on·the·internal·operation·of |
| 302 | the·web·server.·This·may·constitute·an·unnecessary·information·leak·and·should·be·disabled | 302 | the·web·server.·This·may·constitute·an·unnecessary·information·leak·and·should·be·disabled |
| 303 | unless·necessary.·To·do·so,·comment·out·the·related·module: | 303 | unless·necessary.·To·do·so,·comment·out·the·related·module: |
| Offset 314, 20 lines modified | Offset 314, 20 lines modified | ||
| 314 | can·create·an·unnecessary·security·leak·and·should·be·disabled. | 314 | can·create·an·unnecessary·security·leak·and·should·be·disabled. |
| 315 | If·its·functionality·is·unnecessary,·comment·out·the·module: | 315 | If·its·functionality·is·unnecessary,·comment·out·the·module: |
| 316 | <pre>#LoadModule·info_module·modules/mod_info.so</pre> | 316 | <pre>#LoadModule·info_module·modules/mod_info.so</pre> |
| 317 | If·there·is·a·critical·need·for·this·module,·use·the·<code>Location</code>·directive·to·provide | 317 | If·there·is·a·critical·need·for·this·module,·use·the·<code>Location</code>·directive·to·provide |
| 318 | an·access·control·list·to·restrict·access·to·the·information.</td> | 318 | an·access·control·list·to·restrict·access·to·the·information.</td> |
| 319 | </tr> | 319 | </tr> |
| 320 | <tr> | 320 | <tr> |
| 321 | <td>CCE-27 | 321 | <td>CCE-27276-5</td> |
| 322 | <td>Disable· | 322 | <td>Disable·URL·Correction·on·Misspelled·Entries</td> |
| 323 | <td·xml:lang="en-US">The·<code> | 323 | <td·xml:lang="en-US">The·<code>speling</code>·module·attempts·to·find·a·document·match·by·allowing·one·misspelling·in·an |
| 324 | If·this·functionality·is·unnecessary,·comment·out·th | 324 | otherwise·failed·request.·If·this·functionality·is·unnecessary,·comment·out·the·module: |
| 325 | <pre>#LoadModule· | 325 | <pre>#LoadModule·speling_module·modules/mod_speling.so</pre> |
| 326 | </td> | 326 | This·functionality·weakens·server·security·by·making·site·enumeration·easier.</td> |
| 327 | </tr> | 327 | </tr> |
| 328 | <tr> | 328 | <tr> |
| 329 | <td>CCE-27541-2</td> | 329 | <td>CCE-27541-2</td> |
| 330 | <td>Disable·MIME·Magic</td> | 330 | <td>Disable·MIME·Magic</td> |
| 331 | <td·xml:lang="en-US">The·<code>mime_magic</code>·module·provides·a·second·layer·of·MIME·support·that·in·most·configurations | 331 | <td·xml:lang="en-US">The·<code>mime_magic</code>·module·provides·a·second·layer·of·MIME·support·that·in·most·configurations |
| 332 | is·likely·extraneous.·If·its·functionality·is·unnecessary,·comment·out·the·related·module: | 332 | is·likely·extraneous.·If·its·functionality·is·unnecessary,·comment·out·the·related·module: |
| 333 | <pre>#LoadModule·mime_magic_module·modules/mod_mime_magic.so</pre> | 333 | <pre>#LoadModule·mime_magic_module·modules/mod_mime_magic.so</pre> |
| Offset 443, 156 lines modified | Offset 443, 43 lines modified | ||
| 443 | <td·xml:lang="en-US">The·SSSD·service·should·be·enabled. | 443 | <td·xml:lang="en-US">The·SSSD·service·should·be·enabled. |
| 444 | ········The·<code>sssd</code>·service·can·be·enabled·with·the·following·command: | 444 | ········The·<code>sssd</code>·service·can·be·enabled·with·the·following·command: |
| 445 | ········<pre>$·sudo·systemctl·enable·sssd.service</pre> | 445 | ········<pre>$·sudo·systemctl·enable·sssd.service</pre> |
| 446 | </td> | 446 | </td> |
| 447 | </tr> | 447 | </tr> |
| 448 | <tr> | 448 | <tr> |
| 449 | <td>CCE-27021-5</td> | ||
| 450 | <td>Disable·DHCP·Client</td> | ||
| 451 | <td·xml:lang="en-US">For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 452 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 453 | following·changes: | ||
| 454 | <ul> | ||
| 455 | <li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 456 | <pre>BOOTPROTO=none</pre> | ||
| 457 | </li> | ||
| 458 | <li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 459 | values·based·on·your·site's·addressing·scheme: | ||
| 460 | <pre>NETMASK=255.255.255.0 | ||
| 461 | IPADDR=192.168.1.2 | ||
| 462 | GATEWAY=192.168.1.1</pre> | ||
| Max diff block lines reached; 207971/217532 bytes (95.60%) of diff not shown. | |||
| Offset 289, 142 lines modified | Offset 289, 14 lines modified | ||
| 289 | ········The·<code>sssd</code>·service·can·be·enabled·with·the·following·command: | 289 | ········The·<code>sssd</code>·service·can·be·enabled·with·the·following·command: |
| 290 | ········<pre>$·sudo·systemctl·enable·sssd.service</pre> | 290 | ········<pre>$·sudo·systemctl·enable·sssd.service</pre> |
| 291 | </td> | 291 | </td> |
| 292 | <td·xml:lang="en-US"></td> | 292 | <td·xml:lang="en-US"></td> |
| 293 | <td></td> | 293 | <td></td> |
| 294 | </tr> | 294 | </tr> |
| 295 | <tr> | 295 | <tr> |
| 296 | <td>CM-7</td> | ||
| 297 | <td>Disable·DHCP·Client</td> | ||
| 298 | <td·xml:lang="en-US">For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 299 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 300 | following·changes: | ||
| 301 | <ul> | ||
| 302 | <li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 303 | <pre>BOOTPROTO=none</pre> | ||
| 304 | </li> | ||
| 305 | <li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 306 | values·based·on·your·site's·addressing·scheme: | ||
| 307 | <pre>NETMASK=255.255.255.0 | ||
| 308 | IPADDR=192.168.1.2 | ||
| 309 | GATEWAY=192.168.1.1</pre> | ||
| 310 | </li> | ||
| 311 | </ul> | ||
| 312 | </td> | ||
| 313 | <td·xml:lang="en-US">DHCP·relies·on·trusting·the·local·network.·If·the·local·network·is·not·trusted, | ||
| 314 | then·it·should·not·be·used.··However,·the·automatic·configuration·provided·by | ||
| 315 | DHCP·is·commonly·used·and·the·alternative,·manual·configuration,·presents·an | ||
| 316 | unacceptable·burden·in·many·circumstances.</td> | ||
| 317 | <td></td> | ||
| 318 | </tr> | ||
| 319 | <tr> | ||
| 320 | <td>CM-7</td> | ||
| 321 | <td>Deny·Decline·Messages</td> | ||
| 322 | <td·xml:lang="en-US">Edit·<code>/etc/dhcp/dhcpd.conf</code>·and·add·or·correct·the·following | ||
| 323 | global·option·to·prevent·the·DHCP·server·from·responding·the·DHCPDECLINE | ||
| 324 | messages,·if·possible:·<pre>deny·declines;</pre> | ||
| 325 | </td> | ||
| 326 | <td·xml:lang="en-US">The·DHCPDECLINE·message·can·be·sent·by·a·DHCP·client·to·indicate | ||
| 327 | that·it·does·not·consider·the·lease·offered·by·the·server·to·be·valid.·By | ||
| 328 | issuing·many·DHCPDECLINE·messages,·a·malicious·client·can·exhaust·the·DHCP | ||
| 329 | server's·pool·of·IP·addresses,·causing·the·DHCP·server·to·forget·old·address | ||
| 330 | allocations.</td> | ||
| 331 | <td></td> | ||
| 332 | </tr> | ||
| 333 | <tr> | ||
| 334 | <td>CM-7</td> | ||
| 335 | <td>Do·Not·Use·Dynamic·DNS</td> | ||
| 336 | <td·xml:lang="en-US">To·prevent·the·DHCP·server·from·receiving·DNS·information·from | ||
| 337 | clients,·edit·<code>/etc/dhcp/dhcpd.conf</code>,·and·add·or·correct·the·following·global | ||
| 338 | option:·<pre>ddns-update-style·none;</pre> | ||
| 339 | </td> | ||
| 340 | <td·xml:lang="en-US">The·Dynamic·DNS·protocol·is·used·to·remotely·update·the·data·served | ||
| 341 | by·a·DNS·server.·DHCP·servers·can·use·Dynamic·DNS·to·publish·information·about | ||
| 342 | their·clients.·This·setup·carries·security·risks,·and·its·use·is·not | ||
| 343 | recommended.··If·Dynamic·DNS·must·be·used·despite·the·risks·it·poses,·it·is | ||
| 344 | critical·that·Dynamic·DNS·transactions·be·protected·using·TSIG·or·some·other | ||
| 345 | cryptographic·authentication·mechanism.·See·dhcpd.conf(5)·for·more·information | ||
| 346 | about·protecting·the·DHCP·server·from·passing·along·malicious·DNS·data·from·its | ||
| 347 | clients.</td> | ||
| 348 | <td></td> | ||
| 349 | </tr> | ||
| 350 | <tr> | ||
| 351 | <td>CM-7</td> | ||
| 352 | <td>Minimize·Served·Information</td> | ||
| 353 | <td·xml:lang="en-US">Edit·/etc/dhcp/dhcpd.conf.·Examine·each·address·range·section·within | ||
| 354 | the·file,·and·ensure·that·the·following·options·are·not·defined·unless·there·is | ||
| 355 | an·operational·need·to·provide·this·information·via·DHCP: | ||
| 356 | <pre>option·domain-name | ||
| 357 | option·domain-name-servers | ||
| 358 | option·nis-domain | ||
| 359 | option·nis-servers | ||
| 360 | option·ntp-servers | ||
| 361 | option·routers | ||
| 362 | option·time-offset</pre> | ||
| 363 | </td> | ||
| 364 | <td·xml:lang="en-US">Because·the·configuration·information·provided·by·the·DHCP·server | ||
| 365 | could·be·maliciously·provided·to·clients·by·a·rogue·DHCP·server,·the·amount·of | ||
| 366 | information·provided·via·DHCP·should·be·minimized.·Remove·these·definitions | ||
| 367 | from·the·DHCP·server·configuration·to·ensure·that·legitimate·clients·do·not | ||
| 368 | unnecessarily·rely·on·DHCP·for·this·information.</td> | ||
| 369 | <td></td> | ||
| 370 | </tr> | ||
| 371 | <tr> | ||
| 372 | <td>CM-7</td> | ||
| 373 | <td>Deny·BOOTP·Queries</td> | ||
| 374 | <td·xml:lang="en-US">Unless·your·network·needs·to·support·older·BOOTP·clients,·disable | ||
| 375 | support·for·the·bootp·protocol·by·adding·or·correcting·the·global·option: | ||
| 376 | <pre>deny·bootp;</pre> | ||
| 377 | </td> | ||
| 378 | <td·xml:lang="en-US">The·bootp·option·tells·dhcpd·to·respond·to·BOOTP·queries.·If·support | ||
| 379 | for·this·simpler·protocol·is·not·needed,·it·should·be·disabled·to·remove·attack | ||
| 380 | vectors·against·the·DHCP·server.</td> | ||
| 381 | <td></td> | ||
| 382 | </tr> | ||
| 383 | <tr> | ||
| 384 | <td>AU-12</td> | ||
| 385 | <td>Configure·Logging</td> | ||
| 386 | <td·xml:lang="en-US">Ensure·that·the·following·line·exists·in | ||
| 387 | <code>/etc/rsyslog.conf</code>: | ||
| 388 | <pre>daemon.*···········/var/log/daemon.log</pre> | ||
| 389 | Configure·logwatch·or·other·log·monitoring·tools·to·summarize·error·conditions | ||
| 390 | reported·by·the·dhcpd·process.</td> | ||
| 391 | <td·xml:lang="en-US">By·default,·dhcpd·logs·notices·to·the·daemon·facility.·Sending·all | ||
| 392 | daemon·messages·to·a·dedicated·log·file·is·part·of·the·syslog·configuration | ||
| 393 | outlined·in·the·Logging·and·Auditing·section</td> | ||
| 394 | <td></td> | ||
| 395 | </tr> | ||
| 396 | <tr> | ||
| 397 | <td>CM-7</td> | ||
| 398 | <td>Uninstall·DHCP·Server·Package</td> | ||
| 399 | <td·xml:lang="en-US">If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 400 | the·dhcp·package·can·be·uninstalled. | ||
| 401 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 402 | ········<pre>$·sudo·yum·erase·dhcp</pre> | ||
| 403 | </td> | ||
| 404 | <td·xml:lang="en-US">Removing·the·DHCP·server·ensures·that·it·cannot·be·easily·or | ||
| 405 | accidentally·reactivated·and·disrupt·network·operation.</td> | ||
| 406 | <td></td> | ||
| 407 | </tr> | ||
| 408 | <tr> | ||
| 409 | <td>CM-7</td> | ||
| 410 | <td>Disable·DHCP·Service</td> | ||
| 411 | <td·xml:lang="en-US">The·<code>dhcpd</code>·service·should·be·disabled·on | ||
| 412 | any·system·that·does·not·need·to·act·as·a·DHCP·server. | ||
| 413 | ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: | ||
| Max diff block lines reached; 823179/828650 bytes (99.34%) of diff not shown. | |||
| Offset 41, 29 lines modified | Offset 41, 14 lines modified | ||
| 41 | <td>Reference·(PCI·DSS)</td> | 41 | <td>Reference·(PCI·DSS)</td> |
| 42 | <td>Rule·Title</td> | 42 | <td>Rule·Title</td> |
| 43 | <td>Description</td> | 43 | <td>Description</td> |
| 44 | <td>Rationale</td> | 44 | <td>Rationale</td> |
| 45 | <td>Variable·Setting</td> | 45 | <td>Variable·Setting</td> |
| 46 | </thead> | 46 | </thead> |
| 47 | <tr> | 47 | <tr> |
| 48 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.3</a></td> | ||
| 49 | <td>Specify·Additional·Remote·NTP·Servers</td> | ||
| 50 | <td·xml:lang="en-US">Additional·NTP·servers·can·be·specified·for·time·synchronization | ||
| 51 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | ||
| 52 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | ||
| 53 | <em>ntpserver</em>: | ||
| 54 | <pre>server·<i>ntpserver</i></pre> | ||
| 55 | </td> | ||
| 56 | <td·xml:lang="en-US">Specifying·additional·NTP·servers·increases·the·availability·of | ||
| 57 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | ||
| 58 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | ||
| 59 | other·systems.</td> | ||
| 60 | <td></td> | ||
| 61 | </tr> | ||
| 62 | <tr> | ||
| 63 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.1</a></td> | 48 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.1</a></td> |
| 64 | <td>Specify·a·Remote·NTP·Server</td> | 49 | <td>Specify·a·Remote·NTP·Server</td> |
| 65 | <td·xml:lang="en-US">To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 50 | <td·xml:lang="en-US">To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 66 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 51 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 67 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 52 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 68 | <pre>server·<i>ntpserver</i></pre> | 53 | <pre>server·<i>ntpserver</i></pre> |
| 69 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 54 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| Offset 84, 14 lines modified | Offset 69, 29 lines modified | ||
| 84 | data.</td> | 69 | data.</td> |
| 85 | <td·xml:lang="en-US">Synchronizing·with·an·NTP·server·makes·it·possible | 70 | <td·xml:lang="en-US">Synchronizing·with·an·NTP·server·makes·it·possible |
| 86 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 71 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 87 | real·time·events.</td> | 72 | real·time·events.</td> |
| 88 | <td></td> | 73 | <td></td> |
| 89 | </tr> | 74 | </tr> |
| 90 | <tr> | 75 | <tr> |
| 76 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.3</a></td> | ||
| 77 | <td>Specify·Additional·Remote·NTP·Servers</td> | ||
| 78 | <td·xml:lang="en-US">Additional·NTP·servers·can·be·specified·for·time·synchronization | ||
| 79 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | ||
| 80 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | ||
| 81 | <em>ntpserver</em>: | ||
| 82 | <pre>server·<i>ntpserver</i></pre> | ||
| 83 | </td> | ||
| 84 | <td·xml:lang="en-US">Specifying·additional·NTP·servers·increases·the·availability·of | ||
| 85 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | ||
| 86 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | ||
| 87 | other·systems.</td> | ||
| 88 | <td></td> | ||
| 89 | </tr> | ||
| 90 | <tr> | ||
| 91 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | 91 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> |
| 92 | <td>Set·SSH·Idle·Timeout·Interval</td> | 92 | <td>Set·SSH·Idle·Timeout·Interval</td> |
| 93 | <td·xml:lang="en-US">SSH·allows·administrators·to·set·an·idle·timeout | 93 | <td·xml:lang="en-US">SSH·allows·administrators·to·set·an·idle·timeout |
| 94 | interval. | 94 | interval. |
| 95 | After·this·interval·has·passed,·the·idle·user·will·be | 95 | After·this·interval·has·passed,·the·idle·user·will·be |
| 96 | automatically·logged·out. | 96 | automatically·logged·out. |
| 97 | <br><br> | 97 | <br><br> |
| Offset 107, 407 lines modified | Offset 107, 26 lines modified | ||
| 107 | from·correctly·detecting·that·the·user·is·idle.</td> | 107 | from·correctly·detecting·that·the·user·is·idle.</td> |
| 108 | <td·xml:lang="en-US">Causing·idle·users·to·be·automatically·logged·out | 108 | <td·xml:lang="en-US">Causing·idle·users·to·be·automatically·logged·out |
| 109 | guards·against·compromises·one·system·leading·trivially | 109 | guards·against·compromises·one·system·leading·trivially |
| 110 | to·compromises·on·another.</td> | 110 | to·compromises·on·another.</td> |
| 111 | <td></td> | 111 | <td></td> |
| 112 | </tr> | 112 | </tr> |
| 113 | <tr> | 113 | <tr> |
| 114 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page= | 114 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.3</a></td> |
| 115 | <td> | 115 | <td>Configure·auditd·to·use·audispd's·syslog·plugin</td> |
| 116 | <td·xml:lang="en-US"> | 116 | <td·xml:lang="en-US">To·configure·the·<code>auditd</code>·service·to·use·the |
| 117 | in·the· | 117 | <code>syslog</code>·plug-in·of·the·<code>audispd</code>·audit·event·multiplexor,·set |
| 118 | < | 118 | the·<code>active</code>·line·in·<code>/etc/audisp/plugins.d/syslog.conf</code>·to |
| 119 | 119 | <code>yes</code>.·Restart·the·<code>auditd</code>·service: | |
| 120 | ·· | 120 | <pre>$·sudo·service·auditd·restart</pre> |
| 121 | ··--set·/apps/gnome-screensaver/mode·blank-only</pre> | ||
| 122 | </td> | ||
| 123 | <td·xml:lang="en-US">Setting·the·screensaver·mode·to·blank-only·conceals·the | ||
| 124 | contents·of·the·display·from·passersby.</td> | ||
| 125 | <td></td> | ||
| 126 | </tr> | ||
| 127 | <tr> | ||
| 128 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | ||
| 129 | <td>Enable·Screen·Lock·Activation·After·Idle·Period</td> | ||
| 130 | <td·xml:lang="en-US">Run·the·following·command·to·activate·locking·of·the·screensaver | ||
| 131 | in·the·GNOME·desktop·when·it·is·activated: | ||
| 132 | <pre>$·sudo·gconftool-2·--direct·\ | ||
| 133 | ··--config-source·xml:readwrite:/etc/gconf/gconf.xml.mandatory·\ | ||
| 134 | ··--type·bool·\ | ||
| 135 | ··--set·/apps/gnome-screensaver/lock_enabled·true</pre> | ||
| 136 | </td> | ||
| 137 | <td·xml:lang="en-US">Enabling·the·activation·of·the·screen·lock·after·an·idle·period | ||
| 138 | ensures·password·entry·will·be·required·in·order·to | ||
| 139 | access·the·system,·preventing·access·by·passersby.</td> | ||
| 140 | <td></td> | ||
| 141 | </tr> | ||
| 142 | <tr> | ||
| 143 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | ||
| 144 | <td>GNOME·Desktop·Screensaver·Mandatory·Use</td> | ||
| 145 | <td·xml:lang="en-US">Run·the·following·command·to·activate·the·screensaver | ||
| 146 | in·the·GNOME·desktop·after·a·period·of·inactivity: | ||
| 147 | <pre>$·sudo·gconftool-2·--direct·\ | ||
| 148 | ··--config-source·xml:readwrite:/etc/gconf/gconf.xml.mandatory·\ | ||
| 149 | ··--type·bool·\ | ||
| 150 | ··--set·/apps/gnome-screensaver/idle_activation_enabled·true</pre> | ||
| 151 | </td> | ||
| 152 | <td·xml:lang="en-US">Enabling·idle·activation·of·the·screensaver·ensures·the·screensaver·will | ||
| 153 | be·activated·after·the·idle·delay.··Applications·requiring·continuous, | ||
| 154 | real-time·screen·display·(such·as·network·management·products)·require·the | ||
| 155 | login·session·does·not·have·administrator·rights·and·the·display·station·is·located·in·a | ||
| 156 | controlled-access·area.</td> | ||
| 157 | <td></td> | ||
| 158 | </tr> | ||
| 159 | <tr> | ||
| 160 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | ||
| 161 | <td>Set·GNOME·Login·Inactivity·Timeout</td> | ||
| 162 | <td·xml:lang="en-US">Run·the·following·command·to·set·the·idle·time-out·value·for | ||
| 163 | inactivity·in·the·GNOME·desktop·to·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="inactivity_timeout_value"></ns0:sub>·minutes: | ||
| 164 | <pre>$·sudo·gconftool-2·\ | ||
| 165 | ··--direct·\ | ||
| 166 | ··--config-source·xml:readwrite:/etc/gconf/gconf.xml.mandatory·\ | ||
| 167 | ··--type·int·\ | ||
| 168 | ··--set·/desktop/gnome/session/idle_delay·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="inactivity_timeout_value"></ns0:sub></pre> | ||
| 169 | </td> | ||
| 170 | <td·xml:lang="en-US">Setting·the·idle·delay·controls·when·the | ||
| 171 | screensaver·will·start,·and·can·be·combined·with | ||
| 172 | screen·locking·to·prevent·access·from·passersby.</td> | ||
| 173 | <td></td> | ||
| Max diff block lines reached; 56130/82163 bytes (68.32%) of diff not shown. | |||
| Offset 66, 61 lines modified | Offset 66, 38 lines modified | ||
| 66 | <td></td> | 66 | <td></td> |
| 67 | </tr> | 67 | </tr> |
| 68 | <tr> | 68 | <tr> |
| 69 | <td>SRG-OS-000480-GPOS-00232</td> | 69 | <td>SRG-OS-000480-GPOS-00232</td> |
| 70 | <td>CCI-000366</td> | 70 | <td>CCI-000366</td> |
| 71 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 71 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 72 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 72 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 73 | <td> | 73 | <td>tftpd_uses_secure_mode</td> |
| 74 | <td> | 74 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> |
| 75 | <td·xml:lang="en-US"> | 75 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured |
| 76 | 76 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | |
| 77 | fol | 77 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in |
| 78 | 78 | the·following·example·(which·is·also·the·default): | |
| 79 | < | 79 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> |
| 80 | <pre>BOOTPROTO=none</pre> | ||
| 81 | </li> | ||
| 82 | <li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 83 | values·based·on·your·site's·addressing·scheme: | ||
| 84 | <pre>NETMASK=255.255.255.0 | ||
| 85 | IPADDR=192.168.1.2 | ||
| 86 | GATEWAY=192.168.1.1</pre> | ||
| 87 | </li> | ||
| 88 | </ul> | ||
| 89 | </td> | ||
| 90 | <td></td> | ||
| 91 | </tr> | ||
| 92 | <tr> | ||
| 93 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 94 | <td>CCI-000366</td> | ||
| 95 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 96 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 97 | <td>package_dhcp_removed</td> | ||
| 98 | <td>Uninstall·DHCP·Server·Package</td> | ||
| 99 | <td·xml:lang="en-US">If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 100 | the·dhcp·package·can·be·uninstalled. | ||
| 101 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 102 | ········<pre>$·sudo·yum·erase·dhcp</pre> | ||
| 103 | </td> | 80 | </td> |
| 104 | <td></td> | 81 | <td></td> |
| 105 | </tr> | 82 | </tr> |
| 106 | <tr> | 83 | <tr> |
| 107 | <td>SRG-OS-000480-GPOS-00232</td> | 84 | <td>SRG-OS-000480-GPOS-00232</td> |
| 108 | <td>CCI-000366</td> | 85 | <td>CCI-000366</td> |
| 109 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 86 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 110 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 87 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 111 | <td> | 88 | <td>package_openldap-servers_removed</td> |
| 112 | <td> | 89 | <td>Uninstall·openldap-servers·Package</td> |
| 113 | <td·xml:lang="en-US">The·<code>d | 90 | <td·xml:lang="en-US">The·<code>openldap-servers</code>·package·should·be·removed·if·not·in·use. |
| 114 | 91 | Is·this·system·the·OpenLDAP·server?·If·not,·remove·the·package. | |
| 92 | <pre>$·sudo·yum·erase·openldap-servers</pre> | ||
| 115 | 93 | The·openldap-servers·RPM·is·not·installed·by·default·on·Red·Hat·Enterprise·Linux·6 | |
| 116 | · | 94 | systems.·It·is·needed·only·by·the·OpenLDAP·server,·not·by·the |
| 117 | 95 | clients·which·use·LDAP·for·authentication.·If·the·system·is·not | |
| 96 | intended·for·use·as·an·LDAP·Server·it·should·be·removed.</td> | ||
| 118 | <td></td> | 97 | <td></td> |
| 119 | </tr> | 98 | </tr> |
| 120 | <tr> | 99 | <tr> |
| 121 | <td>SRG-OS-000480-GPOS-00232</td> | 100 | <td>SRG-OS-000480-GPOS-00232</td> |
| 122 | <td>CCI-000366</td> | 101 | <td>CCI-000366</td> |
| 123 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 102 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 124 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 103 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| Offset 148, 29 lines modified | Offset 125, 14 lines modified | ||
| 148 | <td></td> | 125 | <td></td> |
| 149 | </tr> | 126 | </tr> |
| 150 | <tr> | 127 | <tr> |
| 151 | <td>SRG-OS-000480-GPOS-00232</td> | 128 | <td>SRG-OS-000480-GPOS-00232</td> |
| 152 | <td>CCI-000366</td> | 129 | <td>CCI-000366</td> |
| 153 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 130 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 154 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 131 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 155 | <td>tftpd_uses_secure_mode</td> | ||
| 156 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> | ||
| 157 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | ||
| 158 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | ||
| 159 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | ||
| 160 | the·following·example·(which·is·also·the·default): | ||
| 161 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> | ||
| 162 | </td> | ||
| 163 | <td></td> | ||
| 164 | </tr> | ||
| 165 | <tr> | ||
| 166 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 167 | <td>CCI-000366</td> | ||
| 168 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 169 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 170 | <td>service_named_disabled</td> | 132 | <td>service_named_disabled</td> |
| 171 | <td>Disable·DNS·Server</td> | 133 | <td>Disable·DNS·Server</td> |
| 172 | <td·xml:lang="en-US"> | 134 | <td·xml:lang="en-US"> |
| 173 | ············ | 135 | ············ |
| 174 | ········The·<code>named</code>·service·can·be·disabled·with·the·following·command: | 136 | ········The·<code>named</code>·service·can·be·disabled·with·the·following·command: |
| 175 | ········<pre>$·sudo·chkconfig·named·off</pre> | 137 | ········<pre>$·sudo·chkconfig·named·off</pre> |
| 176 | ··········</td> | 138 | ··········</td> |
| Offset 190, 153 lines modified | Offset 152, 88 lines modified | ||
| 190 | <td></td> | 152 | <td></td> |
| 191 | </tr> | 153 | </tr> |
| 192 | <tr> | 154 | <tr> |
| 193 | <td>SRG-OS-000480-GPOS-00232</td> | 155 | <td>SRG-OS-000480-GPOS-00232</td> |
| 194 | <td>CCI-000366</td> | 156 | <td>CCI-000366</td> |
| 195 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 157 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 196 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 158 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 197 | <td> | 159 | <td>sysconfig_networking_bootproto_ifcfg</td> |
| 198 | <td> | 160 | <td>Disable·DHCP·Client</td> |
| 199 | <td·xml:lang="en-US"> | 161 | <td·xml:lang="en-US">For·each·interface·on·the·system·(e.g.·eth0),·edit |
| 200 | 162 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | |
| 201 | 163 | following·changes: | |
| 202 | 164 | <ul> | |
| 203 | 165 | <li>·Correct·the·BOOTPROTO·line·to·read: | |
| 204 | 166 | <pre>BOOTPROTO=none</pre> | |
| 205 | 167 | </li> | |
| 206 | <t | 168 | <li>·Add·or·correct·the·following·lines,·substituting·the·appropriate |
| 207 | 169 | values·based·on·your·site's·addressing·scheme: | |
| 208 | < | 170 | <pre>NETMASK=255.255.255.0 |
| 209 | 171 | IPADDR=192.168.1.2 | |
| 210 | 172 | GATEWAY=192.168.1.1</pre> | |
| 211 | < | 173 | </li> |
| 212 | < | 174 | </ul> |
| 213 | <td>postfix_client_configure_mail_alias</td> | ||
| 214 | <td>Configure·System·to·Forward·All·Mail·For·The·Root·Account</td> | ||
| 215 | <td·xml:lang="en-US">Set·up·an·alias·for·root·that·forwards·to·a·monitored·email·address: | ||
| 216 | <pre>$·sudo·echo·"root:·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="var_postfix_root_mail_alias"></ns0:sub>"·>>·/etc/aliases | ||
| 217 | $·sudo·newaliases</pre> | ||
| 218 | </td> | ||
| 219 | <td></td> | ||
| 220 | </tr> | ||
| 221 | <tr> | ||
| 222 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 223 | <td>CCI-000366</td> | ||
| Max diff block lines reached; 294660/304500 bytes (96.77%) of diff not shown. | |||
| Offset 65, 48 lines modified | Offset 65, 31 lines modified | ||
| 65 | <tr> | 65 | <tr> |
| 66 | <td>SRG-OS-000480-GPOS-00232</td> | 66 | <td>SRG-OS-000480-GPOS-00232</td> |
| 67 | <td>CCI-000366</td> | 67 | <td>CCI-000366</td> |
| 68 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 68 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 69 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 69 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 70 | <td> | 70 | <td> |
| 71 | <table><tr> | 71 | <table><tr> |
| 72 | <td> | 72 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> |
| 73 | <td·xml:lang="en-US"> | 73 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured |
| 74 | 74 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | |
| 75 | fol | 75 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in |
| 76 | 76 | the·following·example·(which·is·also·the·default): | |
| 77 | < | 77 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> |
| 78 | <pre>BOOTPROTO=none</pre> | ||
| 79 | </li> | ||
| 80 | <li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 81 | values·based·on·your·site's·addressing·scheme: | ||
| 82 | <pre>NETMASK=255.255.255.0 | ||
| 83 | IPADDR=192.168.1.2 | ||
| 84 | GATEWAY=192.168.1.1</pre> | ||
| 85 | </li> | ||
| 86 | </ul> | ||
| 87 | </td> | ||
| 88 | </tr></table> | ||
| 89 | <table><tr> | ||
| 90 | <td>Uninstall·DHCP·Server·Package</td> | ||
| 91 | <td·xml:lang="en-US">If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 92 | the·dhcp·package·can·be·uninstalled. | ||
| 93 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 94 | ········<pre>$·sudo·yum·erase·dhcp</pre> | ||
| 95 | </td> | 78 | </td> |
| 96 | </tr></table> | 79 | </tr></table> |
| 97 | <table><tr> | 80 | <table><tr> |
| 98 | <td> | 81 | <td>Uninstall·openldap-servers·Package</td> |
| 99 | <td·xml:lang="en-US">The·<code>d | 82 | <td·xml:lang="en-US">The·<code>openldap-servers</code>·package·should·be·removed·if·not·in·use. |
| 100 | 83 | Is·this·system·the·OpenLDAP·server?·If·not,·remove·the·package. | |
| 84 | <pre>$·sudo·yum·erase·openldap-servers</pre> | ||
| 101 | 85 | The·openldap-servers·RPM·is·not·installed·by·default·on·Red·Hat·Enterprise·Linux·6 | |
| 102 | · | 86 | systems.·It·is·needed·only·by·the·OpenLDAP·server,·not·by·the |
| 103 | 87 | clients·which·use·LDAP·for·authentication.·If·the·system·is·not | |
| 88 | intended·for·use·as·an·LDAP·Server·it·should·be·removed.</td> | ||
| 104 | </tr></table> | 89 | </tr></table> |
| 105 | <table><tr> | 90 | <table><tr> |
| 106 | <td>Disable·X·Windows·Startup·By·Setting·Runlevel</td> | 91 | <td>Disable·X·Windows·Startup·By·Setting·Runlevel</td> |
| 107 | <td·xml:lang="en-US">Setting·the·system's·runlevel·to·3·will·prevent·automatic·startup | 92 | <td·xml:lang="en-US">Setting·the·system's·runlevel·to·3·will·prevent·automatic·startup |
| 108 | of·the·X·server.·To·do·so,·ensure·the·following·line·in·<code>/etc/inittab</code> | 93 | of·the·X·server.·To·do·so,·ensure·the·following·line·in·<code>/etc/inittab</code> |
| 109 | features·a·<code>3</code>·as·shown: | 94 | features·a·<code>3</code>·as·shown: |
| 110 | <pre>id:3:initdefault:</pre> | 95 | <pre>id:3:initdefault:</pre> |
| Offset 117, 23 lines modified | Offset 100, 14 lines modified | ||
| 117 | <td·xml:lang="en-US">Removing·all·packages·which·constitute·the·X·Window·System | 100 | <td·xml:lang="en-US">Removing·all·packages·which·constitute·the·X·Window·System |
| 118 | ensures·users·or·malicious·software·cannot·start·X. | 101 | ensures·users·or·malicious·software·cannot·start·X. |
| 119 | To·do·so,·run·the·following·command: | 102 | To·do·so,·run·the·following·command: |
| 120 | <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> | 103 | <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> |
| 121 | </td> | 104 | </td> |
| 122 | </tr></table> | 105 | </tr></table> |
| 123 | <table><tr> | 106 | <table><tr> |
| 124 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> | ||
| 125 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | ||
| 126 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | ||
| 127 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | ||
| 128 | the·following·example·(which·is·also·the·default): | ||
| 129 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> | ||
| 130 | </td> | ||
| 131 | </tr></table> | ||
| 132 | <table><tr> | ||
| 133 | <td>Disable·DNS·Server</td> | 107 | <td>Disable·DNS·Server</td> |
| 134 | <td·xml:lang="en-US"> | 108 | <td·xml:lang="en-US"> |
| 135 | ············ | 109 | ············ |
| 136 | ········The·<code>named</code>·service·can·be·disabled·with·the·following·command: | 110 | ········The·<code>named</code>·service·can·be·disabled·with·the·following·command: |
| 137 | ········<pre>$·sudo·chkconfig·named·off</pre> | 111 | ········<pre>$·sudo·chkconfig·named·off</pre> |
| 138 | ··········</td> | 112 | ··········</td> |
| 139 | </tr></table> | 113 | </tr></table> |
| Offset 141, 22 lines modified | Offset 115, 48 lines modified | ||
| 141 | <td>Uninstall·bind·Package</td> | 115 | <td>Uninstall·bind·Package</td> |
| 142 | <td·xml:lang="en-US">To·remove·the·<code>bind</code>·package,·which·contains·the | 116 | <td·xml:lang="en-US">To·remove·the·<code>bind</code>·package,·which·contains·the |
| 143 | <code>named</code>·service,·run·the·following·command: | 117 | <code>named</code>·service,·run·the·following·command: |
| 144 | <pre>$·sudo·yum·erase·bind</pre> | 118 | <pre>$·sudo·yum·erase·bind</pre> |
| 145 | </td> | 119 | </td> |
| 146 | </tr></table> | 120 | </tr></table> |
| 147 | <table><tr> | 121 | <table><tr> |
| 148 | <td> | 122 | <td>Disable·DHCP·Client</td> |
| 149 | <td·xml:lang="en-US"> | 123 | <td·xml:lang="en-US">For·each·interface·on·the·system·(e.g.·eth0),·edit |
| 150 | 124 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | |
| 151 | 125 | following·changes: | |
| 152 | 126 | <ul> | |
| 153 | 127 | <li>·Correct·the·BOOTPROTO·line·to·read: | |
| 154 | 128 | <pre>BOOTPROTO=none</pre> | |
| 155 | 129 | </li> | |
| 130 | <li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 131 | values·based·on·your·site's·addressing·scheme: | ||
| 132 | <pre>NETMASK=255.255.255.0 | ||
| 133 | IPADDR=192.168.1.2 | ||
| 134 | GATEWAY=192.168.1.1</pre> | ||
| 135 | </li> | ||
| 136 | </ul> | ||
| 137 | </td> | ||
| 138 | </tr></table> | ||
| 139 | <table><tr> | ||
| 140 | <td>Uninstall·DHCP·Server·Package</td> | ||
| 141 | <td·xml:lang="en-US">If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 142 | the·dhcp·package·can·be·uninstalled. | ||
| 143 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 144 | ········<pre>$·sudo·yum·erase·dhcp</pre> | ||
| 145 | </td> | ||
| 146 | </tr></table> | ||
| 147 | <table><tr> | ||
| 148 | <td>Disable·DHCP·Service</td> | ||
| 149 | <td·xml:lang="en-US">The·<code>dhcpd</code>·service·should·be·disabled·on | ||
| 150 | any·system·that·does·not·need·to·act·as·a·DHCP·server. | ||
| 151 | ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: | ||
| 152 | ········<pre>$·sudo·chkconfig·dhcpd·off</pre> | ||
| 153 | </td> | ||
| 156 | </tr></table> | 154 | </tr></table> |
| 157 | <table><tr> | 155 | <table><tr> |
| 158 | <td>Configure·System·to·Forward·All·Mail·For·The·Root·Account</td> | 156 | <td>Configure·System·to·Forward·All·Mail·For·The·Root·Account</td> |
| 159 | <td·xml:lang="en-US">Set·up·an·alias·for·root·that·forwards·to·a·monitored·email·address: | 157 | <td·xml:lang="en-US">Set·up·an·alias·for·root·that·forwards·to·a·monitored·email·address: |
| 160 | <pre>$·sudo·echo·"root:·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="var_postfix_root_mail_alias"></ns0:sub>"·>>·/etc/aliases | 158 | <pre>$·sudo·echo·"root:·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="var_postfix_root_mail_alias"></ns0:sub>"·>>·/etc/aliases |
| 161 | $·sudo·newaliases</pre> | 159 | $·sudo·newaliases</pre> |
| 162 | </td> | 160 | </td> |
| Offset 166, 81 lines modified | Offset 166, 14 lines modified | ||
| 166 | <td·xml:lang="en-US"> | 166 | <td·xml:lang="en-US"> |
| 167 | ············ | 167 | ············ |
| 168 | ········The·<code>avahi-daemon</code>·service·can·be·disabled·with·the·following·command: | 168 | ········The·<code>avahi-daemon</code>·service·can·be·disabled·with·the·following·command: |
| 169 | ········<pre>$·sudo·chkconfig·avahi-daemon·off</pre> | 169 | ········<pre>$·sudo·chkconfig·avahi-daemon·off</pre> |
| Max diff block lines reached; 169243/175506 bytes (96.43%) of diff not shown. | |||
| Offset 55, 23 lines modified | Offset 55, 21 lines modified | ||
| 55 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 55 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 56 | If·using·systemd,· | 56 | If·using·systemd,· |
| 57 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 57 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 58 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre> | 58 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre> |
| 59 | </td> | 59 | </td> |
| 60 | </tr> | 60 | </tr> |
| 61 | <tr> | 61 | <tr> |
| 62 | <td>CCE- | 62 | <td>CCE-80514-3</td> |
| 63 | <td> | 63 | <td>Remove·User·Host-Based·Authentication·Files</td> |
| 64 | <td·xml:lang="en-US">The·<code> | 64 | <td·xml:lang="en-US">The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files |
| 65 | 65 | list·remote·hosts·and·users·that·are·trusted·by·the | |
| 66 | 66 | local·system.·To·remove·these·files,·run·the·following·command | |
| 67 | 67 | to·delete·them·from·any·location: | |
| 68 | 68 | <pre>$·sudo·rm·~/.shosts</pre> | |
| 69 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | ||
| 70 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre> | ||
| 71 | </td> | 69 | </td> |
| 72 | </tr> | 70 | </tr> |
| 73 | <tr> | 71 | <tr> |
| 74 | <td>CCE-80513-5</td> | 72 | <td>CCE-80513-5</td> |
| 75 | <td>Remove·Host-Based·Authentication·Files</td> | 73 | <td>Remove·Host-Based·Authentication·Files</td> |
| 76 | <td·xml:lang="en-US">The·<code>shosts.equiv</code>·file·list·remote·hosts | 74 | <td·xml:lang="en-US">The·<code>shosts.equiv</code>·file·list·remote·hosts |
| 77 | and·users·that·are·trusted·by·the·local·system. | 75 | and·users·that·are·trusted·by·the·local·system. |
| Offset 89, 21 lines modified | Offset 87, 23 lines modified | ||
| 89 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. | 87 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 90 | If·using·systemd,· | 88 | If·using·systemd,· |
| 91 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: | 89 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 92 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre> | 90 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre> |
| 93 | </td> | 91 | </td> |
| 94 | </tr> | 92 | </tr> |
| 95 | <tr> | 93 | <tr> |
| 96 | <td>CCE- | 94 | <td>CCE-27408-4</td> |
| 97 | <td> | 95 | <td>Disable·rexec·Service</td> |
| 98 | <td·xml:lang="en-US">The·<code> | 96 | <td·xml:lang="en-US">The·<code>rexec</code>·service,·which·is·available·with |
| 99 | 97 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | |
| 100 | 98 | as·a·systemd·socket,·should·be·disabled. | |
| 101 | t | 99 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 102 | 100 | If·using·systemd,· | |
| 101 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | ||
| 102 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre> | ||
| 103 | </td> | 103 | </td> |
| 104 | </tr> | 104 | </tr> |
| 105 | <tr> | 105 | <tr> |
| 106 | <td>CCE-27342-5</td> | 106 | <td>CCE-27342-5</td> |
| 107 | <td>Uninstall·rsh-server·Package</td> | 107 | <td>Uninstall·rsh-server·Package</td> |
| 108 | <td·xml:lang="en-US">The·<code>rsh-server</code>·package·can·be·uninstalled·with | 108 | <td·xml:lang="en-US">The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 109 | the·following·command: | 109 | the·following·command: |
| Offset 206, 52 lines modified | Offset 206, 52 lines modified | ||
| 206 | <td·xml:lang="en-US">The·<code>tftp</code>·service·should·be·disabled. | 206 | <td·xml:lang="en-US">The·<code>tftp</code>·service·should·be·disabled. |
| 207 | ········The·<code>tftp</code>·service·can·be·disabled·with·the·following·command: | 207 | ········The·<code>tftp</code>·service·can·be·disabled·with·the·following·command: |
| 208 | ········<pre>$·sudo·systemctl·disable·tftp.service</pre> | 208 | ········<pre>$·sudo·systemctl·disable·tftp.service</pre> |
| 209 | </td> | 209 | </td> |
| 210 | </tr> | 210 | </tr> |
| 211 | <tr> | 211 | <tr> |
| 212 | <td>CCE-80213-2</td> | ||
| 213 | <td>Uninstall·tftp-server·Package</td> | ||
| 214 | <td·xml:lang="en-US"> | ||
| 215 | ············ | ||
| 216 | ········The·<code>tftp-server</code>·package·can·be·removed·with·the·following·command: | ||
| 217 | ········<pre>$·sudo·yum·erase·tftp-server</pre> | ||
| 218 | ··········</td> | ||
| 219 | </tr> | ||
| 220 | <tr> | ||
| 212 | <td>CCE-80214-0</td> | 221 | <td>CCE-80214-0</td> |
| 213 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> | 222 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> |
| 214 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | 223 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured |
| 215 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | 224 | to·change·its·root·directory·at·startup.·To·do·so,·ensure |
| 216 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | 225 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in |
| 217 | the·following·example·(which·is·also·the·default): | 226 | the·following·example·(which·is·also·the·default): |
| 218 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> | 227 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> |
| 219 | </td> | 228 | </td> |
| 220 | </tr> | 229 | </tr> |
| 221 | <tr> | 230 | <tr> |
| 222 | <td>CCE- | 231 | <td>CCE-27443-1</td> |
| 223 | <td> | 232 | <td>Disable·xinetd·Service</td> |
| 224 | <td·xml:lang="en-US"> | 233 | <td·xml:lang="en-US"> |
| 225 | ············ | 234 | ············ |
| 226 | ········The·<code> | 235 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 227 | ········<pre>$·sudo·y | 236 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 228 | ··········</td> | 237 | ··········</td> |
| 229 | </tr> | 238 | </tr> |
| 230 | <tr> | 239 | <tr> |
| 231 | <td>CCE-27361-5</td> | 240 | <td>CCE-27361-5</td> |
| 232 | <td>Install·tcp_wrappers·Package</td> | 241 | <td>Install·tcp_wrappers·Package</td> |
| 233 | <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the | 242 | <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the |
| 234 | <code>tcp_wrappers</code>·package·should·be·installed. | 243 | <code>tcp_wrappers</code>·package·should·be·installed. |
| 235 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: | 244 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: |
| 236 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre> | 245 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre> |
| 237 | </td> | 246 | </td> |
| 238 | </tr> | 247 | </tr> |
| 239 | <tr> | 248 | <tr> |
| 240 | <td>CCE-27443-1</td> | ||
| 241 | <td>Disable·xinetd·Service</td> | ||
| 242 | <td·xml:lang="en-US"> | ||
| 243 | ············ | ||
| 244 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | ||
| 245 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | ||
| 246 | ··········</td> | ||
| 247 | </tr> | ||
| 248 | <tr> | ||
| 249 | <td>CCE-27354-0</td> | 249 | <td>CCE-27354-0</td> |
| 250 | <td>Uninstall·xinetd·Package</td> | 250 | <td>Uninstall·xinetd·Package</td> |
| 251 | <td·xml:lang="en-US">The·<code>xinetd</code>·package·can·be·uninstalled·with·the·following·command: | 251 | <td·xml:lang="en-US">The·<code>xinetd</code>·package·can·be·uninstalled·with·the·following·command: |
| 252 | <pre>$·sudo·yum·erase·xinetd</pre> | 252 | <pre>$·sudo·yum·erase·xinetd</pre> |
| 253 | </td> | 253 | </td> |
| 254 | </tr> | 254 | </tr> |
| 255 | <tr> | 255 | <tr> |
| Offset 281, 14 lines modified | Offset 281, 31 lines modified | ||
| 281 | <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than | 281 | <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than |
| 282 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: | 282 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: |
| 283 | <pre>local_enable=NO</pre> | 283 | <pre>local_enable=NO</pre> |
| 284 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure | 284 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure |
| 285 | these·logins·as·much·as·possible.</td> | 285 | these·logins·as·much·as·possible.</td> |
| 286 | </tr> | 286 | </tr> |
| 287 | <tr> | 287 | <tr> |
| 288 | <td>CCE-80248-8</td> | ||
| 289 | <td>Create·Warning·Banners·for·All·FTP·Users</td> | ||
| 290 | <td·xml:lang="en-US">Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 291 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 292 | <pre>banner_file=/etc/issue</pre> | ||
| 293 | </td> | ||
| 294 | </tr> | ||
| 295 | <tr> | ||
| 296 | <td>CCE-80250-4</td> | ||
| 297 | <td>Disable·FTP·Uploads·if·Possible</td> | ||
| Max diff block lines reached; 288528/294805 bytes (97.87%) of diff not shown. | |||
| Offset 72, 41 lines modified | Offset 72, 41 lines modified | ||
| 72 | means·that·data·from·the·login·session,·including·passwords·and | 72 | means·that·data·from·the·login·session,·including·passwords·and |
| 73 | all·other·information·transmitted·during·the·session,·can·be | 73 | all·other·information·transmitted·during·the·session,·can·be |
| 74 | stolen·by·eavesdroppers·on·the·network.</td> | 74 | stolen·by·eavesdroppers·on·the·network.</td> |
| 75 | <td></td> | 75 | <td></td> |
| 76 | </tr> | 76 | </tr> |
| 77 | <tr> | 77 | <tr> |
| 78 | <td>2.2.17</td> | 78 | <td>2.2.17</td> |
| 79 | <td>Disable·r | 79 | <td>Disable·rsh·Service</td> |
| 80 | <td·xml:lang="en-US">The·<code>r | 80 | <td·xml:lang="en-US">The·<code>rsh</code>·service,·which·is·available·with |
| 81 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 81 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 82 | as·a·systemd·socket,·should·be·disabled. | 82 | as·a·systemd·socket,·should·be·disabled. |
| 83 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 83 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 84 | If·using·systemd,· | 84 | If·using·systemd,· |
| 85 | ········The·<code>r | 85 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 86 | ········<pre>$·sudo·systemctl·disable·r | 86 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre> |
| 87 | </td> | 87 | </td> |
| 88 | <td·xml:lang="en-US">The·r | 88 | <td·xml:lang="en-US">The·rsh·service·uses·unencrypted·network·communications,·which |
| 89 | means·that·data·from·the·login·session,·including·passwords·and | 89 | means·that·data·from·the·login·session,·including·passwords·and |
| 90 | all·other·information·transmitted·during·the·session,·can·be | 90 | all·other·information·transmitted·during·the·session,·can·be |
| 91 | stolen·by·eavesdroppers·on·the·network.</td> | 91 | stolen·by·eavesdroppers·on·the·network.</td> |
| 92 | <td></td> | 92 | <td></td> |
| 93 | </tr> | 93 | </tr> |
| 94 | <tr> | 94 | <tr> |
| 95 | <td>2.2.17</td> | 95 | <td>2.2.17</td> |
| 96 | <td>Disable·r | 96 | <td>Disable·rexec·Service</td> |
| 97 | <td·xml:lang="en-US">The·<code>r | 97 | <td·xml:lang="en-US">The·<code>rexec</code>·service,·which·is·available·with |
| 98 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 98 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 99 | as·a·systemd·socket,·should·be·disabled. | 99 | as·a·systemd·socket,·should·be·disabled. |
| 100 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 100 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 101 | If·using·systemd,· | 101 | If·using·systemd,· |
| 102 | ········The·<code>r | 102 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 103 | ········<pre>$·sudo·systemctl·disable·r | 103 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre> |
| 104 | </td> | 104 | </td> |
| 105 | <td·xml:lang="en-US">The·r | 105 | <td·xml:lang="en-US">The·rexec·service·uses·unencrypted·network·communications,·which |
| 106 | means·that·data·from·the·login·session,·including·passwords·and | 106 | means·that·data·from·the·login·session,·including·passwords·and |
| 107 | all·other·information·transmitted·during·the·session,·can·be | 107 | all·other·information·transmitted·during·the·session,·can·be |
| 108 | stolen·by·eavesdroppers·on·the·network.</td> | 108 | stolen·by·eavesdroppers·on·the·network.</td> |
| 109 | <td></td> | 109 | <td></td> |
| 110 | </tr> | 110 | </tr> |
| 111 | <tr> | 111 | <tr> |
| 112 | <td>6.2.14</td> | 112 | <td>6.2.14</td> |
| Offset 227, 42 lines modified | Offset 227, 42 lines modified | ||
| 227 | ········<pre>$·sudo·systemctl·disable·tftp.service</pre> | 227 | ········<pre>$·sudo·systemctl·disable·tftp.service</pre> |
| 228 | </td> | 228 | </td> |
| 229 | <td·xml:lang="en-US">Disabling·the·<code>tftp</code>·service·ensures·the·system·is·not·acting | 229 | <td·xml:lang="en-US">Disabling·the·<code>tftp</code>·service·ensures·the·system·is·not·acting |
| 230 | as·a·TFTP·server,·which·does·not·provide·encryption·or·authentication.</td> | 230 | as·a·TFTP·server,·which·does·not·provide·encryption·or·authentication.</td> |
| 231 | <td></td> | 231 | <td></td> |
| 232 | </tr> | 232 | </tr> |
| 233 | <tr> | 233 | <tr> |
| 234 | <td>3.4.1</td> | ||
| 235 | <td>Install·tcp_wrappers·Package</td> | ||
| 236 | <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the | ||
| 237 | <code>tcp_wrappers</code>·package·should·be·installed. | ||
| 238 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: | ||
| 239 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre> | ||
| 240 | </td> | ||
| 241 | <td·xml:lang="en-US">Access·control·methods·provide·the·ability·to·enhance·system·security·posture | ||
| 242 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | ||
| 243 | prevents·connections·from·unknown·hosts·and·protocols.</td> | ||
| 244 | <td></td> | ||
| 245 | </tr> | ||
| 246 | <tr> | ||
| 247 | <td>2.1.7</td> | 234 | <td>2.1.7</td> |
| 248 | <td>Disable·xinetd·Service</td> | 235 | <td>Disable·xinetd·Service</td> |
| 249 | <td·xml:lang="en-US"> | 236 | <td·xml:lang="en-US"> |
| 250 | ············ | 237 | ············ |
| 251 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | 238 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 252 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | 239 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 253 | ··········</td> | 240 | ··········</td> |
| 254 | <td·xml:lang="en-US">The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | 241 | <td·xml:lang="en-US">The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, |
| 255 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | 242 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling |
| 256 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | 243 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents |
| 257 | attacks·against·xinetd·itself.</td> | 244 | attacks·against·xinetd·itself.</td> |
| 258 | <td></td> | 245 | <td></td> |
| 259 | </tr> | 246 | </tr> |
| 260 | <tr> | 247 | <tr> |
| 248 | <td>3.4.1</td> | ||
| 249 | <td>Install·tcp_wrappers·Package</td> | ||
| 250 | <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the | ||
| 251 | <code>tcp_wrappers</code>·package·should·be·installed. | ||
| 252 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: | ||
| 253 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre> | ||
| 254 | </td> | ||
| 255 | <td·xml:lang="en-US">Access·control·methods·provide·the·ability·to·enhance·system·security·posture | ||
| 256 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | ||
| 257 | prevents·connections·from·unknown·hosts·and·protocols.</td> | ||
| 258 | <td></td> | ||
| 259 | </tr> | ||
| 260 | <tr> | ||
| 261 | <td>2.3.3</td> | 261 | <td>2.3.3</td> |
| 262 | <td>Uninstall·talk·Package</td> | 262 | <td>Uninstall·talk·Package</td> |
| 263 | <td·xml:lang="en-US">The·<code>talk</code>·package·contains·the·client·program·for·the | 263 | <td·xml:lang="en-US">The·<code>talk</code>·package·contains·the·client·program·for·the |
| 264 | Internet·talk·protocol,·which·allows·the·user·to·chat·with·other·users·on | 264 | Internet·talk·protocol,·which·allows·the·user·to·chat·with·other·users·on |
| 265 | different·systems.·Talk·is·a·communication·program·which·copies·lines·from·one | 265 | different·systems.·Talk·is·a·communication·program·which·copies·lines·from·one |
| 266 | terminal·to·the·terminal·of·another·user. | 266 | terminal·to·the·terminal·of·another·user. |
| Offset 891, 14 lines modified | Offset 891, 27 lines modified | ||
| 891 | ········<pre>$·sudo·yum·install·rsyslog</pre> | 891 | ········<pre>$·sudo·yum·install·rsyslog</pre> |
| 892 | </td> | 892 | </td> |
| 893 | <td·xml:lang="en-US">The·rsyslog·package·provides·the·rsyslog·daemon,·which·provides | 893 | <td·xml:lang="en-US">The·rsyslog·package·provides·the·rsyslog·daemon,·which·provides |
| 894 | system·logging·services.</td> | 894 | system·logging·services.</td> |
| 895 | <td></td> | 895 | <td></td> |
| 896 | </tr> | 896 | </tr> |
| 897 | <tr> | 897 | <tr> |
| 898 | <td>4.7</td> | ||
| 899 | <td>Verify·firewalld·Enabled</td> | ||
| 900 | <td·xml:lang="en-US"> | ||
| 901 | ·············· | ||
| 902 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: | ||
| 903 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> | ||
| 904 | ············</td> | ||
| 905 | <td·xml:lang="en-US">Access·control·methods·provide·the·ability·to·enhance·system·security·posture | ||
| 906 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | ||
| 907 | prevents·connections·from·unknown·hosts·and·protocols.</td> | ||
| 908 | <td></td> | ||
| 909 | </tr> | ||
| 910 | <tr> | ||
| 898 | <td>3.3.2</td> | 911 | <td>3.3.2</td> |
| 899 | <td>Configure·Accepting·IPv6·Redirects·By·Default</td> | 912 | <td>Configure·Accepting·IPv6·Redirects·By·Default</td> |
| 900 | <td·xml:lang="en-US"> | 913 | <td·xml:lang="en-US"> |
| 901 | ················ | 914 | ················ |
| 902 | ····To·set·the·runtime·status·of·the·<code>net.ipv6.conf.all.accept_redirects</code>·kernel·parameter, | 915 | ····To·set·the·runtime·status·of·the·<code>net.ipv6.conf.all.accept_redirects</code>·kernel·parameter, |
| 903 | ····run·the·following·command: | 916 | ····run·the·following·command: |
| 904 | ····<pre·xml:space="preserve">$·sudo·sysctl·-w·net.ipv6.conf.all.accept_redirects=0</pre> | 917 | ····<pre·xml:space="preserve">$·sudo·sysctl·-w·net.ipv6.conf.all.accept_redirects=0</pre> |
| Offset 960, 27 lines modified | Offset 973, 14 lines modified | ||
| Max diff block lines reached; 68679/74898 bytes (91.70%) of diff not shown. | |||
| Offset 89, 75 lines modified | Offset 89, 75 lines modified | ||
| 89 | means·that·data·from·the·login·session,·including·passwords·and | 89 | means·that·data·from·the·login·session,·including·passwords·and |
| 90 | all·other·information·transmitted·during·the·session,·can·be | 90 | all·other·information·transmitted·during·the·session,·can·be |
| 91 | stolen·by·eavesdroppers·on·the·network.</td> | 91 | stolen·by·eavesdroppers·on·the·network.</td> |
| 92 | <td></td> | 92 | <td></td> |
| 93 | </tr> | 93 | </tr> |
| 94 | <tr> | 94 | <tr> |
| 95 | <td>3.1.13</td> | 95 | <td>3.1.13</td> |
| 96 | <td>Disable·r | 96 | <td>Disable·rsh·Service</td> |
| 97 | <td·xml:lang="en-US">The·<code>r | 97 | <td·xml:lang="en-US">The·<code>rsh</code>·service,·which·is·available·with |
| 98 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 98 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 99 | as·a·systemd·socket,·should·be·disabled. | 99 | as·a·systemd·socket,·should·be·disabled. |
| 100 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 100 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 101 | If·using·systemd,· | 101 | If·using·systemd,· |
| 102 | ········The·<code>r | 102 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 103 | ········<pre>$·sudo·systemctl·disable·r | 103 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre> |
| 104 | </td> | 104 | </td> |
| 105 | <td·xml:lang="en-US">The·r | 105 | <td·xml:lang="en-US">The·rsh·service·uses·unencrypted·network·communications,·which |
| 106 | means·that·data·from·the·login·session,·including·passwords·and | 106 | means·that·data·from·the·login·session,·including·passwords·and |
| 107 | all·other·information·transmitted·during·the·session,·can·be | 107 | all·other·information·transmitted·during·the·session,·can·be |
| 108 | stolen·by·eavesdroppers·on·the·network.</td> | 108 | stolen·by·eavesdroppers·on·the·network.</td> |
| 109 | <td></td> | 109 | <td></td> |
| 110 | </tr> | 110 | </tr> |
| 111 | <tr> | 111 | <tr> |
| 112 | <td>3.4.7</td> | 112 | <td>3.4.7</td> |
| 113 | <td>Disable·r | 113 | <td>Disable·rsh·Service</td> |
| 114 | <td·xml:lang="en-US">The·<code>r | 114 | <td·xml:lang="en-US">The·<code>rsh</code>·service,·which·is·available·with |
| 115 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 115 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 116 | as·a·systemd·socket,·should·be·disabled. | 116 | as·a·systemd·socket,·should·be·disabled. |
| 117 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 117 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 118 | If·using·systemd,· | 118 | If·using·systemd,· |
| 119 | ········The·<code>r | 119 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 120 | ········<pre>$·sudo·systemctl·disable·r | 120 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre> |
| 121 | </td> | 121 | </td> |
| 122 | <td·xml:lang="en-US">The·r | 122 | <td·xml:lang="en-US">The·rsh·service·uses·unencrypted·network·communications,·which |
| 123 | means·that·data·from·the·login·session,·including·passwords·and | 123 | means·that·data·from·the·login·session,·including·passwords·and |
| 124 | all·other·information·transmitted·during·the·session,·can·be | 124 | all·other·information·transmitted·during·the·session,·can·be |
| 125 | stolen·by·eavesdroppers·on·the·network.</td> | 125 | stolen·by·eavesdroppers·on·the·network.</td> |
| 126 | <td></td> | 126 | <td></td> |
| 127 | </tr> | 127 | </tr> |
| 128 | <tr> | 128 | <tr> |
| 129 | <td>3.1.13</td> | 129 | <td>3.1.13</td> |
| 130 | <td>Disable·r | 130 | <td>Disable·rexec·Service</td> |
| 131 | <td·xml:lang="en-US">The·<code>r | 131 | <td·xml:lang="en-US">The·<code>rexec</code>·service,·which·is·available·with |
| 132 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 132 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 133 | as·a·systemd·socket,·should·be·disabled. | 133 | as·a·systemd·socket,·should·be·disabled. |
| 134 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 134 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 135 | If·using·systemd,· | 135 | If·using·systemd,· |
| 136 | ········The·<code>r | 136 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 137 | ········<pre>$·sudo·systemctl·disable·r | 137 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre> |
| 138 | </td> | 138 | </td> |
| 139 | <td·xml:lang="en-US">The·r | 139 | <td·xml:lang="en-US">The·rexec·service·uses·unencrypted·network·communications,·which |
| 140 | means·that·data·from·the·login·session,·including·passwords·and | 140 | means·that·data·from·the·login·session,·including·passwords·and |
| 141 | all·other·information·transmitted·during·the·session,·can·be | 141 | all·other·information·transmitted·during·the·session,·can·be |
| 142 | stolen·by·eavesdroppers·on·the·network.</td> | 142 | stolen·by·eavesdroppers·on·the·network.</td> |
| 143 | <td></td> | 143 | <td></td> |
| 144 | </tr> | 144 | </tr> |
| 145 | <tr> | 145 | <tr> |
| 146 | <td>3.4.7</td> | 146 | <td>3.4.7</td> |
| 147 | <td>Disable·r | 147 | <td>Disable·rexec·Service</td> |
| 148 | <td·xml:lang="en-US">The·<code>r | 148 | <td·xml:lang="en-US">The·<code>rexec</code>·service,·which·is·available·with |
| 149 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 149 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 150 | as·a·systemd·socket,·should·be·disabled. | 150 | as·a·systemd·socket,·should·be·disabled. |
| 151 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 151 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 152 | If·using·systemd,· | 152 | If·using·systemd,· |
| 153 | ········The·<code>r | 153 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 154 | ········<pre>$·sudo·systemctl·disable·r | 154 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre> |
| 155 | </td> | 155 | </td> |
| 156 | <td·xml:lang="en-US">The·r | 156 | <td·xml:lang="en-US">The·rexec·service·uses·unencrypted·network·communications,·which |
| 157 | means·that·data·from·the·login·session,·including·passwords·and | 157 | means·that·data·from·the·login·session,·including·passwords·and |
| 158 | all·other·information·transmitted·during·the·session,·can·be | 158 | all·other·information·transmitted·during·the·session,·can·be |
| 159 | stolen·by·eavesdroppers·on·the·network.</td> | 159 | stolen·by·eavesdroppers·on·the·network.</td> |
| 160 | <td></td> | 160 | <td></td> |
| 161 | </tr> | 161 | </tr> |
| 162 | <tr> | 162 | <tr> |
| 163 | <td>3.1.13</td> | 163 | <td>3.1.13</td> |
| Offset 922, 14 lines modified | Offset 922, 88 lines modified | ||
| 922 | ····<pre·xml:space="preserve">$·sudo·chmod·0640·/etc/ssh/*_key</pre> | 922 | ····<pre·xml:space="preserve">$·sudo·chmod·0640·/etc/ssh/*_key</pre> |
| 923 | ········</td> | 923 | ········</td> |
| 924 | <td·xml:lang="en-US">If·an·unauthorized·user·obtains·the·private·SSH·host·key·file,·the·host·could·be | 924 | <td·xml:lang="en-US">If·an·unauthorized·user·obtains·the·private·SSH·host·key·file,·the·host·could·be |
| 925 | impersonated.</td> | 925 | impersonated.</td> |
| 926 | <td></td> | 926 | <td></td> |
| 927 | </tr> | 927 | </tr> |
| 928 | <tr> | 928 | <tr> |
| 929 | <td>3.1.3</td> | ||
| 930 | <td>Set·Default·firewalld·Zone·for·Incoming·Packets</td> | ||
| 931 | <td·xml:lang="en-US">To·set·the·default·zone·to·<code>drop</code>·for | ||
| 932 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, | ||
| 933 | modify·the·following·line·in | ||
| 934 | <code>/etc/firewalld/firewalld.conf</code>·to·be: | ||
| 935 | <pre>DefaultZone=drop</pre> | ||
| 936 | </td> | ||
| 937 | <td·xml:lang="en-US">In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all | ||
| 938 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the | ||
| 939 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. | ||
| 940 | any·packets·which·are·not·explicitly·permitted·should·not·be | ||
| 941 | accepted.</td> | ||
| 942 | <td></td> | ||
| 943 | </tr> | ||
| 944 | <tr> | ||
| 945 | <td>3.4.7</td> | ||
| 946 | <td>Set·Default·firewalld·Zone·for·Incoming·Packets</td> | ||
| 947 | <td·xml:lang="en-US">To·set·the·default·zone·to·<code>drop</code>·for | ||
| 948 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, | ||
| 949 | modify·the·following·line·in | ||
| 950 | <code>/etc/firewalld/firewalld.conf</code>·to·be: | ||
| 951 | <pre>DefaultZone=drop</pre> | ||
| 952 | </td> | ||
| 953 | <td·xml:lang="en-US">In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all | ||
| 954 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the | ||
| 955 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. | ||
| 956 | any·packets·which·are·not·explicitly·permitted·should·not·be | ||
| 957 | accepted.</td> | ||
| 958 | <td></td> | ||
| 959 | </tr> | ||
| 960 | <tr> | ||
| 961 | <td>3.13.6</td> | ||
| 962 | <td>Set·Default·firewalld·Zone·for·Incoming·Packets</td> | ||
| 963 | <td·xml:lang="en-US">To·set·the·default·zone·to·<code>drop</code>·for | ||
| 964 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, | ||
| 965 | modify·the·following·line·in | ||
| 966 | <code>/etc/firewalld/firewalld.conf</code>·to·be: | ||
| 967 | <pre>DefaultZone=drop</pre> | ||
| 968 | </td> | ||
| 969 | <td·xml:lang="en-US">In·<code>firewalld</code>·the·default·zone·is·applied·only·after·all | ||
| 970 | the·applicable·rules·in·the·table·are·examined·for·a·match.·Setting·the | ||
| 971 | default·zone·to·<code>drop</code>·implements·proper·design·for·a·firewall,·i.e. | ||
| 972 | any·packets·which·are·not·explicitly·permitted·should·not·be | ||
| Max diff block lines reached; 108657/117199 bytes (92.71%) of diff not shown. | |||
| Offset 93, 48 lines modified | Offset 93, 48 lines modified | ||
| 93 | means·that·data·from·the·login·session,·including·passwords·and | 93 | means·that·data·from·the·login·session,·including·passwords·and |
| 94 | all·other·information·transmitted·during·the·session,·can·be | 94 | all·other·information·transmitted·during·the·session,·can·be |
| 95 | stolen·by·eavesdroppers·on·the·network.</td> | 95 | stolen·by·eavesdroppers·on·the·network.</td> |
| 96 | <td></td> | 96 | <td></td> |
| 97 | </tr> | 97 | </tr> |
| 98 | <tr> | 98 | <tr> |
| 99 | <td>AC-17(8)</td> | 99 | <td>AC-17(8)</td> |
| 100 | <td>Disable·r | 100 | <td>Disable·rsh·Service</td> |
| 101 | <td·xml:lang="en-US">The·<code>r | 101 | <td·xml:lang="en-US">The·<code>rsh</code>·service,·which·is·available·with |
| 102 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 102 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 103 | as·a·systemd·socket,·should·be·disabled. | 103 | as·a·systemd·socket,·should·be·disabled. |
| 104 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 104 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 105 | If·using·systemd,· | 105 | If·using·systemd,· |
| 106 | ········The·<code>r | 106 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 107 | ········<pre>$·sudo·systemctl·disable·r | 107 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre> |
| 108 | </td> | 108 | </td> |
| 109 | <td·xml:lang="en-US">The·r | 109 | <td·xml:lang="en-US">The·rsh·service·uses·unencrypted·network·communications,·which |
| 110 | means·that·data·from·the·login·session,·including·passwords·and | 110 | means·that·data·from·the·login·session,·including·passwords·and |
| 111 | all·other·information·transmitted·during·the·session,·can·be | 111 | all·other·information·transmitted·during·the·session,·can·be |
| 112 | stolen·by·eavesdroppers·on·the·network.</td> | 112 | stolen·by·eavesdroppers·on·the·network.</td> |
| 113 | <td></td> | 113 | <td></td> |
| 114 | </tr> | 114 | </tr> |
| 115 | <tr> | 115 | <tr> |
| 116 | <td>CM-7</td> | 116 | <td>CM-7</td> |
| 117 | <td>Disable·r | 117 | <td>Disable·rsh·Service</td> |
| 118 | <td·xml:lang="en-US">The·<code>r | 118 | <td·xml:lang="en-US">The·<code>rsh</code>·service,·which·is·available·with |
| 119 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 119 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 120 | as·a·systemd·socket,·should·be·disabled. | 120 | as·a·systemd·socket,·should·be·disabled. |
| 121 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 121 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 122 | If·using·systemd,· | 122 | If·using·systemd,· |
| 123 | ········The·<code>r | 123 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| 124 | ········<pre>$·sudo·systemctl·disable·r | 124 | ········<pre>$·sudo·systemctl·disable·rsh.socket</pre> |
| 125 | </td> | 125 | </td> |
| 126 | <td·xml:lang="en-US">The·r | 126 | <td·xml:lang="en-US">The·rsh·service·uses·unencrypted·network·communications,·which |
| 127 | means·that·data·from·the·login·session,·including·passwords·and | 127 | means·that·data·from·the·login·session,·including·passwords·and |
| 128 | all·other·information·transmitted·during·the·session,·can·be | 128 | all·other·information·transmitted·during·the·session,·can·be |
| 129 | stolen·by·eavesdroppers·on·the·network.</td> | 129 | stolen·by·eavesdroppers·on·the·network.</td> |
| 130 | <td></td> | 130 | <td></td> |
| 131 | </tr> | 131 | </tr> |
| 132 | <tr> | 132 | <tr> |
| 133 | <td>A | 133 | <td>IA-5(1)(c)</td> |
| 134 | <td>Disable·rsh·Service</td> | 134 | <td>Disable·rsh·Service</td> |
| 135 | <td·xml:lang="en-US">The·<code>rsh</code>·service,·which·is·available·with | 135 | <td·xml:lang="en-US">The·<code>rsh</code>·service,·which·is·available·with |
| 136 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 136 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 137 | as·a·systemd·socket,·should·be·disabled. | 137 | as·a·systemd·socket,·should·be·disabled. |
| 138 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. | 138 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rsh</code>. |
| 139 | If·using·systemd,· | 139 | If·using·systemd,· |
| 140 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: | 140 | ········The·<code>rsh</code>·socket·can·be·disabled·with·the·following·command: |
| Offset 143, 42 lines modified | Offset 143, 42 lines modified | ||
| 143 | <td·xml:lang="en-US">The·rsh·service·uses·unencrypted·network·communications,·which | 143 | <td·xml:lang="en-US">The·rsh·service·uses·unencrypted·network·communications,·which |
| 144 | means·that·data·from·the·login·session,·including·passwords·and | 144 | means·that·data·from·the·login·session,·including·passwords·and |
| 145 | all·other·information·transmitted·during·the·session,·can·be | 145 | all·other·information·transmitted·during·the·session,·can·be |
| 146 | stolen·by·eavesdroppers·on·the·network.</td> | 146 | stolen·by·eavesdroppers·on·the·network.</td> |
| 147 | <td></td> | 147 | <td></td> |
| 148 | </tr> | 148 | </tr> |
| 149 | <tr> | 149 | <tr> |
| 150 | <td>C | 150 | <td>AC-17(8)</td> |
| 151 | <td>Disable·r | 151 | <td>Disable·rexec·Service</td> |
| 152 | <td·xml:lang="en-US">The·<code>r | 152 | <td·xml:lang="en-US">The·<code>rexec</code>·service,·which·is·available·with |
| 153 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 153 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 154 | as·a·systemd·socket,·should·be·disabled. | 154 | as·a·systemd·socket,·should·be·disabled. |
| 155 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 155 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 156 | If·using·systemd,· | 156 | If·using·systemd,· |
| 157 | ········The·<code>r | 157 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 158 | ········<pre>$·sudo·systemctl·disable·r | 158 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre> |
| 159 | </td> | 159 | </td> |
| 160 | <td·xml:lang="en-US">The·r | 160 | <td·xml:lang="en-US">The·rexec·service·uses·unencrypted·network·communications,·which |
| 161 | means·that·data·from·the·login·session,·including·passwords·and | 161 | means·that·data·from·the·login·session,·including·passwords·and |
| 162 | all·other·information·transmitted·during·the·session,·can·be | 162 | all·other·information·transmitted·during·the·session,·can·be |
| 163 | stolen·by·eavesdroppers·on·the·network.</td> | 163 | stolen·by·eavesdroppers·on·the·network.</td> |
| 164 | <td></td> | 164 | <td></td> |
| 165 | </tr> | 165 | </tr> |
| 166 | <tr> | 166 | <tr> |
| 167 | <td> | 167 | <td>CM-7</td> |
| 168 | <td>Disable·r | 168 | <td>Disable·rexec·Service</td> |
| 169 | <td·xml:lang="en-US">The·<code>r | 169 | <td·xml:lang="en-US">The·<code>rexec</code>·service,·which·is·available·with |
| 170 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 170 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 171 | as·a·systemd·socket,·should·be·disabled. | 171 | as·a·systemd·socket,·should·be·disabled. |
| 172 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/r | 172 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 173 | If·using·systemd,· | 173 | If·using·systemd,· |
| 174 | ········The·<code>r | 174 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 175 | ········<pre>$·sudo·systemctl·disable·r | 175 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre> |
| 176 | </td> | 176 | </td> |
| 177 | <td·xml:lang="en-US">The·r | 177 | <td·xml:lang="en-US">The·rexec·service·uses·unencrypted·network·communications,·which |
| 178 | means·that·data·from·the·login·session,·including·passwords·and | 178 | means·that·data·from·the·login·session,·including·passwords·and |
| 179 | all·other·information·transmitted·during·the·session,·can·be | 179 | all·other·information·transmitted·during·the·session,·can·be |
| 180 | stolen·by·eavesdroppers·on·the·network.</td> | 180 | stolen·by·eavesdroppers·on·the·network.</td> |
| 181 | <td></td> | 181 | <td></td> |
| 182 | </tr> | 182 | </tr> |
| 183 | <tr> | 183 | <tr> |
| 184 | <td>AC-17(8)</td> | 184 | <td>AC-17(8)</td> |
| Offset 465, 56 lines modified | Offset 465, 14 lines modified | ||
| 465 | ········<pre>$·sudo·systemctl·disable·tftp.service</pre> | 465 | ········<pre>$·sudo·systemctl·disable·tftp.service</pre> |
| 466 | </td> | 466 | </td> |
| 467 | <td·xml:lang="en-US">Disabling·the·<code>tftp</code>·service·ensures·the·system·is·not·acting | 467 | <td·xml:lang="en-US">Disabling·the·<code>tftp</code>·service·ensures·the·system·is·not·acting |
| 468 | as·a·TFTP·server,·which·does·not·provide·encryption·or·authentication.</td> | 468 | as·a·TFTP·server,·which·does·not·provide·encryption·or·authentication.</td> |
| 469 | <td></td> | 469 | <td></td> |
| 470 | </tr> | 470 | </tr> |
| 471 | <tr> | 471 | <tr> |
| 472 | <td>AC-6</td> | ||
| 473 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> | ||
| 474 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | ||
| 475 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | ||
| 476 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | ||
| 477 | the·following·example·(which·is·also·the·default): | ||
| 478 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> | ||
| 479 | </td> | ||
| 480 | <td·xml:lang="en-US">Using·the·<code>-s</code>·option·causes·the·TFTP·service·to·only·serve·files·from·the | ||
| 481 | given·directory.·Serving·files·from·an·intentionally-specified·directory | ||
| 482 | reduces·the·risk·of·sharing·files·which·should·remain·private.</td> | ||
| 483 | <td></td> | ||
| 484 | </tr> | ||
| 485 | <tr> | ||
| 486 | <td>AC-17(8)</td> | ||
| 487 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> | ||
| 488 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | ||
| 489 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | ||
| 490 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | ||
| 491 | the·following·example·(which·is·also·the·default): | ||
| 492 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> | ||
| 493 | </td> | ||
| 494 | <td·xml:lang="en-US">Using·the·<code>-s</code>·option·causes·the·TFTP·service·to·only·serve·files·from·the | ||
| 495 | given·directory.·Serving·files·from·an·intentionally-specified·directory | ||
| 496 | reduces·the·risk·of·sharing·files·which·should·remain·private.</td> | ||
| 497 | <td></td> | ||
| 498 | </tr> | ||
| 499 | <tr> | ||
| Max diff block lines reached; 611760/620161 bytes (98.65%) of diff not shown. | |||
| Offset 147, 48 lines modified | Offset 147, 48 lines modified | ||
| 147 | <td·xml:lang="en-US">Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of | 147 | <td·xml:lang="en-US">Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of |
| 148 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session | 148 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session |
| 149 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</td> | 149 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</td> |
| 150 | <td></td> | 150 | <td></td> |
| 151 | </tr> | 151 | </tr> |
| 152 | <tr> | 152 | <tr> |
| 153 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.1</a></td> | 153 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.1</a></td> |
| 154 | <td>Ensure·Log·Files· | 154 | <td>Ensure·System·Log·Files·Have·Correct·Permissions</td> |
| 155 | <td·xml:lang="en-US">The· | 155 | <td·xml:lang="en-US">The·file·permissions·for·all·log·files·written·by |
| 156 | <code>rsyslog</code>·should·be·ro | 156 | <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive. |
| 157 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | 157 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in |
| 158 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. | 158 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.· |
| 159 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | 159 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, |
| 160 | run·the·following·command·to·inspect·the·file's· | 160 | run·the·following·command·to·inspect·the·file's·permissions: |
| 161 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | 161 | <pre>$·ls·-l·<i>LOGFILE</i></pre> |
| 162 | If·the· | 162 | If·the·permissions·are·not·600·or·more·restrictive, |
| 163 | correct·this: | 163 | run·the·following·command·to·correct·this: |
| 164 | <pre>$·sudo·ch | 164 | <pre>$·sudo·chmod·0600·<i>LOGFILE</i></pre> |
| 165 | </td> | 165 | </td> |
| 166 | <td·xml:lang="en-US"> | 166 | <td·xml:lang="en-US">Log·files·can·contain·valuable·information·regarding·system |
| 167 | configuration | 167 | configuration.·If·the·system·log·files·are·not·protected·unauthorized |
| 168 | 168 | users·could·change·the·logged·data,·eliminating·their·forensic·value.</td> | |
| 169 | <td></td> | 169 | <td></td> |
| 170 | </tr> | 170 | </tr> |
| 171 | <tr> | 171 | <tr> |
| 172 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.2</a></td> | 172 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.2</a></td> |
| 173 | <td>Ensure·Log·Files· | 173 | <td>Ensure·System·Log·Files·Have·Correct·Permissions</td> |
| 174 | <td·xml:lang="en-US">The· | 174 | <td·xml:lang="en-US">The·file·permissions·for·all·log·files·written·by |
| 175 | <code>rsyslog</code>·should·be·ro | 175 | <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive. |
| 176 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | 176 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in |
| 177 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. | 177 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.· |
| 178 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | 178 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, |
| 179 | run·the·following·command·to·inspect·the·file's· | 179 | run·the·following·command·to·inspect·the·file's·permissions: |
| 180 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | 180 | <pre>$·ls·-l·<i>LOGFILE</i></pre> |
| 181 | If·the· | 181 | If·the·permissions·are·not·600·or·more·restrictive, |
| 182 | correct·this: | 182 | run·the·following·command·to·correct·this: |
| 183 | <pre>$·sudo·ch | 183 | <pre>$·sudo·chmod·0600·<i>LOGFILE</i></pre> |
| 184 | </td> | 184 | </td> |
| 185 | <td·xml:lang="en-US"> | 185 | <td·xml:lang="en-US">Log·files·can·contain·valuable·information·regarding·system |
| 186 | configuration | 186 | configuration.·If·the·system·log·files·are·not·protected·unauthorized |
| 187 | 187 | users·could·change·the·logged·data,·eliminating·their·forensic·value.</td> | |
| 188 | <td></td> | 188 | <td></td> |
| 189 | </tr> | 189 | </tr> |
| 190 | <tr> | 190 | <tr> |
| 191 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.1</a></td> | 191 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.1</a></td> |
| 192 | <td>Ensure·Log·Files·Are·Owned·By·Appropriate·User</td> | 192 | <td>Ensure·Log·Files·Are·Owned·By·Appropriate·User</td> |
| 193 | <td·xml:lang="en-US">The·owner·of·all·log·files·written·by | 193 | <td·xml:lang="en-US">The·owner·of·all·log·files·written·by |
| 194 | <code>rsyslog</code>·should·be·root. | 194 | <code>rsyslog</code>·should·be·root. |
| Offset 223, 48 lines modified | Offset 223, 48 lines modified | ||
| 223 | <td·xml:lang="en-US">The·log·files·generated·by·rsyslog·contain·valuable·information·regarding·system | 223 | <td·xml:lang="en-US">The·log·files·generated·by·rsyslog·contain·valuable·information·regarding·system |
| 224 | configuration,·user·authentication,·and·other·such·information.·Log·files·should·be | 224 | configuration,·user·authentication,·and·other·such·information.·Log·files·should·be |
| 225 | protected·from·unauthorized·access.</td> | 225 | protected·from·unauthorized·access.</td> |
| 226 | <td></td> | 226 | <td></td> |
| 227 | </tr> | 227 | </tr> |
| 228 | <tr> | 228 | <tr> |
| 229 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.1</a></td> | 229 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.1</a></td> |
| 230 | <td>Ensure· | 230 | <td>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</td> |
| 231 | <td·xml:lang="en-US">The· | 231 | <td·xml:lang="en-US">The·group-owner·of·all·log·files·written·by |
| 232 | <code>rsyslog</code>·should·be· | 232 | <code>rsyslog</code>·should·be·root. |
| 233 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | 233 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in |
| 234 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. | 234 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. |
| 235 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | 235 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, |
| 236 | run·the·following·command·to·inspect·the·file's· | 236 | run·the·following·command·to·inspect·the·file's·group·owner: |
| 237 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | 237 | <pre>$·ls·-l·<i>LOGFILE</i></pre> |
| 238 | If·the· | 238 | If·the·owner·is·not·<code>root</code>,·run·the·following·command·to |
| 239 | 239 | correct·this: | |
| 240 | <pre>$·sudo·ch | 240 | <pre>$·sudo·chgrp·root·<i>LOGFILE</i></pre> |
| 241 | </td> | 241 | </td> |
| 242 | <td·xml:lang="en-US"> | 242 | <td·xml:lang="en-US">The·log·files·generated·by·rsyslog·contain·valuable·information·regarding·system |
| 243 | configuration | 243 | configuration,·user·authentication,·and·other·such·information.·Log·files·should·be |
| 244 | 244 | protected·from·unauthorized·access.</td> | |
| 245 | <td></td> | 245 | <td></td> |
| 246 | </tr> | 246 | </tr> |
| 247 | <tr> | 247 | <tr> |
| 248 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.2</a></td> | 248 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.2</a></td> |
| 249 | <td>Ensure· | 249 | <td>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</td> |
| 250 | <td·xml:lang="en-US">The· | 250 | <td·xml:lang="en-US">The·group-owner·of·all·log·files·written·by |
| 251 | <code>rsyslog</code>·should·be· | 251 | <code>rsyslog</code>·should·be·root. |
| 252 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | 252 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in |
| 253 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. | 253 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>. |
| 254 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | 254 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, |
| 255 | run·the·following·command·to·inspect·the·file's· | 255 | run·the·following·command·to·inspect·the·file's·group·owner: |
| 256 | <pre>$·ls·-l·<i>LOGFILE</i></pre> | 256 | <pre>$·ls·-l·<i>LOGFILE</i></pre> |
| 257 | If·the· | 257 | If·the·owner·is·not·<code>root</code>,·run·the·following·command·to |
| 258 | 258 | correct·this: | |
| 259 | <pre>$·sudo·ch | 259 | <pre>$·sudo·chgrp·root·<i>LOGFILE</i></pre> |
| 260 | </td> | 260 | </td> |
| 261 | <td·xml:lang="en-US"> | 261 | <td·xml:lang="en-US">The·log·files·generated·by·rsyslog·contain·valuable·information·regarding·system |
| 262 | configuration | 262 | configuration,·user·authentication,·and·other·such·information.·Log·files·should·be |
| 263 | 263 | protected·from·unauthorized·access.</td> | |
| 264 | <td></td> | 264 | <td></td> |
| 265 | </tr> | 265 | </tr> |
| 266 | <tr> | 266 | <tr> |
| 267 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.2.4</a></td> | 267 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.2.4</a></td> |
| 268 | <td>Set·Password·Maximum·Age</td> | 268 | <td>Set·Password·Maximum·Age</td> |
| 269 | <td·xml:lang="en-US">To·specify·password·maximum·age·for·new·accounts, | 269 | <td·xml:lang="en-US">To·specify·password·maximum·age·for·new·accounts, |
| 270 | edit·the·file·<code>/etc/login.defs</code> | 270 | edit·the·file·<code>/etc/login.defs</code> |
| Offset 281, 45 lines modified | Offset 281, 14 lines modified | ||
| 281 | Setting·the·password·maximum·age·ensures·users·are·required·to | 281 | Setting·the·password·maximum·age·ensures·users·are·required·to |
| 282 | periodically·change·their·passwords.·Requiring·shorter·password·lifetimes | 282 | periodically·change·their·passwords.·Requiring·shorter·password·lifetimes |
| 283 | increases·the·risk·of·users·writing·down·the·password·in·a·convenient | 283 | increases·the·risk·of·users·writing·down·the·password·in·a·convenient |
| 284 | location·subject·to·physical·compromise.</td> | 284 | location·subject·to·physical·compromise.</td> |
| 285 | <td></td> | 285 | <td></td> |
| 286 | </tr> | 286 | </tr> |
| 287 | <tr> | 287 | <tr> |
| 288 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.1</a></td> | ||
| 289 | <td>Ensure·All·Accounts·on·the·System·Have·Unique·Names</td> | ||
| 290 | <td·xml:lang="en-US">Change·usernames,·or·delete·accounts,·so·each·has·a·unique·name.</td> | ||
| 291 | <td·xml:lang="en-US">Unique·usernames·allow·for·accountability·on·the·system.</td> | ||
| 292 | <td></td> | ||
| 293 | </tr> | ||
| 294 | <tr> | ||
| 295 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.4</a></td> | ||
| 296 | <td>Set·Account·Expiration·Following·Inactivity</td> | ||
| 297 | <td·xml:lang="en-US">To·specify·the·number·of·days·after·a·password·expires·(which | ||
| 298 | signifies·inactivity)·until·an·account·is·permanently·disabled,·add·or·correct | ||
| 299 | the·following·lines·in·<code>/etc/default/useradd</code>,·substituting | ||
| 300 | <code><i>NUM_DAYS</i></code>·appropriately: | ||
| 301 | <pre>INACTIVE=<i><ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="var_account_disable_post_pw_expiration"></ns0:sub></i></pre> | ||
| 302 | A·value·of·35·is·recommended;·however,·this·profile·expects·that·the·value·is·set·to | ||
| 303 | <code><ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="var_account_disable_post_pw_expiration"></ns0:sub></code>. | ||
| 304 | If·a·password·is·currently·on·the | ||
| 305 | verge·of·expiration,·then·35·days·remain·until·the·account·is·automatically | ||
| 306 | disabled.·However,·if·the·password·will·not·expire·for·another·60·days,·then·95 | ||
| 307 | days·could·elapse·until·the·account·would·be·automatically·disabled.·See·the | ||
| 308 | <code>useradd</code>·man·page·for·more·information.··Determining·the·inactivity | ||
| 309 | timeout·must·be·done·with·careful·consideration·of·the·length·of·a·"normal" | ||
| Max diff block lines reached; 68102/78451 bytes (86.81%) of diff not shown. | |||
| Offset 59, 36 lines modified | Offset 59, 36 lines modified | ||
| 59 | <td></td> | 59 | <td></td> |
| 60 | </tr> | 60 | </tr> |
| 61 | <tr> | 61 | <tr> |
| 62 | <td>SRG-OS-000480-GPOS-00232</td> | 62 | <td>SRG-OS-000480-GPOS-00232</td> |
| 63 | <td>CCI-000366</td> | 63 | <td>CCI-000366</td> |
| 64 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 64 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 65 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 65 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 66 | <td>no_host_based_files</td> | 66 | <td>no_user_host_based_files</td> |
| 67 | <td>Remove·Host-Based·Authentication·Files</td> | 67 | <td>Remove·User·Host-Based·Authentication·Files</td> |
| 68 | <td·xml:lang="en-US">The·<code>shosts | 68 | <td·xml:lang="en-US">The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files |
| 69 | and·users·that·are·trusted·by·th | 69 | list·remote·hosts·and·users·that·are·trusted·by·the |
| 70 | To·remove·these·files,·run·the·following·comman | 70 | local·system.·To·remove·these·files,·run·the·following·command |
| 71 | location: | 71 | to·delete·them·from·any·location: |
| 72 | <pre>$·sudo·rm· | 72 | <pre>$·sudo·rm·~/.shosts</pre> |
| 73 | </td> | 73 | </td> |
| 74 | <td></td> | 74 | <td></td> |
| 75 | </tr> | 75 | </tr> |
| 76 | <tr> | 76 | <tr> |
| 77 | <td>SRG-OS-000480-GPOS-00232</td> | 77 | <td>SRG-OS-000480-GPOS-00232</td> |
| 78 | <td>CCI-000366</td> | 78 | <td>CCI-000366</td> |
| 79 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 79 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 80 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 80 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 81 | <td>no_ | 81 | <td>no_host_based_files</td> |
| 82 | <td>Remove· | 82 | <td>Remove·Host-Based·Authentication·Files</td> |
| 83 | <td·xml:lang="en-US">The·<code> | 83 | <td·xml:lang="en-US">The·<code>shosts.equiv</code>·file·list·remote·hosts |
| 84 | 84 | and·users·that·are·trusted·by·the·local·system. | |
| 85 | 85 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | |
| 86 | 86 | location: | |
| 87 | <pre>$·sudo·rm· | 87 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre> |
| 88 | </td> | 88 | </td> |
| 89 | <td></td> | 89 | <td></td> |
| 90 | </tr> | 90 | </tr> |
| 91 | <tr> | 91 | <tr> |
| 92 | <td>SRG-OS-000480-GPOS-00232</td> | 92 | <td>SRG-OS-000480-GPOS-00232</td> |
| 93 | <td>CCI-000366</td> | 93 | <td>CCI-000366</td> |
| 94 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 94 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| Offset 375, 35 lines modified | Offset 375, 35 lines modified | ||
| 375 | <td></td> | 375 | <td></td> |
| 376 | </tr> | 376 | </tr> |
| 377 | <tr> | 377 | <tr> |
| 378 | <td>SRG-OS-000480-GPOS-00232</td> | 378 | <td>SRG-OS-000480-GPOS-00232</td> |
| 379 | <td>CCI-000366</td> | 379 | <td>CCI-000366</td> |
| 380 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 380 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 381 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 381 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 382 | <td>mount_option_ | 382 | <td>mount_option_noexec_remote_filesystems</td> |
| 383 | <td>Mount·Remote·Filesystems·with· | 383 | <td>Mount·Remote·Filesystems·with·noexec</td> |
| 384 | <td·xml:lang="en-US"> | 384 | <td·xml:lang="en-US"> |
| 385 | ·············· | 385 | ·············· |
| 386 | » Add·the·<code> | 386 | » Add·the·<code>noexec</code>·option·to·the·fourth·column·of |
| 387 | » <code>/etc/fstab</code>·for·the·line·which·controls·mounting·of | 387 | » <code>/etc/fstab</code>·for·the·line·which·controls·mounting·of |
| 388 | » any·NFS·mounts. | 388 | » any·NFS·mounts. |
| 389 | » | 389 | » |
| 390 | ············</td> | 390 | ············</td> |
| 391 | <td></td> | 391 | <td></td> |
| 392 | </tr> | 392 | </tr> |
| 393 | <tr> | 393 | <tr> |
| 394 | <td>SRG-OS-000480-GPOS-00232</td> | 394 | <td>SRG-OS-000480-GPOS-00232</td> |
| 395 | <td>CCI-000366</td> | 395 | <td>CCI-000366</td> |
| 396 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 396 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 397 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 397 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 398 | <td>mount_option_ | 398 | <td>mount_option_krb_sec_remote_filesystems</td> |
| 399 | <td>Mount·Remote·Filesystems·with· | 399 | <td>Mount·Remote·Filesystems·with·Kerberos·Security</td> |
| 400 | <td·xml:lang="en-US"> | 400 | <td·xml:lang="en-US"> |
| 401 | ·············· | 401 | ·············· |
| 402 | » Add·the·<code> | 402 | » Add·the·<code>sec=krb5:krb5i:krb5p</code>·option·to·the·fourth·column·of |
| 403 | » <code>/etc/fstab</code>·for·the·line·which·controls·mounting·of | 403 | » <code>/etc/fstab</code>·for·the·line·which·controls·mounting·of |
| 404 | » any·NFS·mounts. | 404 | » any·NFS·mounts. |
| 405 | » | 405 | » |
| 406 | ············</td> | 406 | ············</td> |
| 407 | <td></td> | 407 | <td></td> |
| 408 | </tr> | 408 | </tr> |
| 409 | <tr> | 409 | <tr> |
| Offset 729, 14 lines modified | Offset 729, 30 lines modified | ||
| 729 | <td></td> | 729 | <td></td> |
| 730 | </tr> | 730 | </tr> |
| 731 | <tr> | 731 | <tr> |
| 732 | <td>SRG-OS-000480-GPOS-00232</td> | 732 | <td>SRG-OS-000480-GPOS-00232</td> |
| 733 | <td>CCI-000366</td> | 733 | <td>CCI-000366</td> |
| 734 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 734 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 735 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 735 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 736 | <td>ensure_logrotate_activated</td> | ||
| 737 | <td>Ensure·Logrotate·Runs·Periodically</td> | ||
| 738 | <td·xml:lang="en-US">The·<code>logrotate</code>·utility·allows·for·the·automatic·rotation·of· | ||
| 739 | log·files.··The·frequency·of·rotation·is·specified·in·<code>/etc/logrotate.conf</code>,· | ||
| 740 | which·triggers·a·cron·task.··To·configure·logrotate·to·run·daily,·add·or·correct· | ||
| 741 | the·following·line·in·<code>/etc/logrotate.conf</code>: | ||
| 742 | <pre>#·rotate·log·files·<i>frequency</i> | ||
| 743 | daily</pre> | ||
| 744 | </td> | ||
| 745 | <td></td> | ||
| 746 | </tr> | ||
| 747 | <tr> | ||
| 748 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 749 | <td>CCI-000366</td> | ||
| 750 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 751 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 736 | <td>rsyslog_cron_logging</td> | 752 | <td>rsyslog_cron_logging</td> |
| 737 | <td>Ensure·cron·Is·Logging·To·Rsyslog</td> | 753 | <td>Ensure·cron·Is·Logging·To·Rsyslog</td> |
| 738 | <td·xml:lang="en-US">Cron·logging·must·be·implemented·to·spot·intrusions·or·trace | 754 | <td·xml:lang="en-US">Cron·logging·must·be·implemented·to·spot·intrusions·or·trace |
| 739 | cron·job·status.·If·<code>cron</code>·is·not·logging·to·<code>rsyslog</code>,·it | 755 | cron·job·status.·If·<code>cron</code>·is·not·logging·to·<code>rsyslog</code>,·it |
| 740 | can·be·implemented·by·adding·the·following·to·the·<i>RULES</i>·section·of | 756 | can·be·implemented·by·adding·the·following·to·the·<i>RULES</i>·section·of |
| 741 | <code>/etc/rsyslog.conf</code>: | 757 | <code>/etc/rsyslog.conf</code>: |
| 742 | <pre>cron.*··················································/var/log/cron</pre> | 758 | <pre>cron.*··················································/var/log/cron</pre> |
| Offset 744, 30 lines modified | Offset 760, 43 lines modified | ||
| 744 | <td></td> | 760 | <td></td> |
| 745 | </tr> | 761 | </tr> |
| 746 | <tr> | 762 | <tr> |
| 747 | <td>SRG-OS-000480-GPOS-00232</td> | 763 | <td>SRG-OS-000480-GPOS-00232</td> |
| 748 | <td>CCI-000366</td> | 764 | <td>CCI-000366</td> |
| 749 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 765 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 750 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 766 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 751 | <td>e | 767 | <td>set_firewalld_default_zone</td> |
| 752 | <td> | 768 | <td>Set·Default·firewalld·Zone·for·Incoming·Packets</td> |
| 753 | <td·xml:lang="en-US">T | 769 | <td·xml:lang="en-US">To·set·the·default·zone·to·<code>drop</code>·for |
| 754 | 770 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, | |
| 755 | 771 | modify·the·following·line·in | |
| 756 | 772 | <code>/etc/firewalld/firewalld.conf</code>·to·be: | |
| 757 | <pre> | 773 | <pre>DefaultZone=drop</pre> |
| 758 | daily</pre> | ||
| 759 | </td> | 774 | </td> |
| 760 | <td></td> | 775 | <td></td> |
| 761 | </tr> | 776 | </tr> |
| 762 | <tr> | 777 | <tr> |
| 763 | <td>SRG-OS-000480-GPOS-00232</td> | 778 | <td>SRG-OS-000480-GPOS-00232</td> |
| 764 | <td>CCI-000366</td> | 779 | <td>CCI-000366</td> |
| 765 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 780 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 766 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 781 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| Max diff block lines reached; 1420954/1428975 bytes (99.44%) of diff not shown. | |||
| Offset 58, 32 lines modified | Offset 58, 32 lines modified | ||
| 58 | <tr> | 58 | <tr> |
| 59 | <td>SRG-OS-000480-GPOS-00232</td> | 59 | <td>SRG-OS-000480-GPOS-00232</td> |
| 60 | <td>CCI-000366</td> | 60 | <td>CCI-000366</td> |
| 61 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 61 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 62 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 62 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 63 | <td> | 63 | <td> |
| 64 | <table><tr> | 64 | <table><tr> |
| 65 | <td>Remove·Host-Based·Authentication·Files</td> | ||
| 66 | <td·xml:lang="en-US">The·<code>shosts.equiv</code>·file·list·remote·hosts | ||
| 67 | and·users·that·are·trusted·by·the·local·system. | ||
| 68 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | ||
| 69 | location: | ||
| 70 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre> | ||
| 71 | </td> | ||
| 72 | </tr></table> | ||
| 73 | <table><tr> | ||
| 74 | <td>Remove·User·Host-Based·Authentication·Files</td> | 65 | <td>Remove·User·Host-Based·Authentication·Files</td> |
| 75 | <td·xml:lang="en-US">The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files | 66 | <td·xml:lang="en-US">The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files |
| 76 | list·remote·hosts·and·users·that·are·trusted·by·the | 67 | list·remote·hosts·and·users·that·are·trusted·by·the |
| 77 | local·system.·To·remove·these·files,·run·the·following·command | 68 | local·system.·To·remove·these·files,·run·the·following·command |
| 78 | to·delete·them·from·any·location: | 69 | to·delete·them·from·any·location: |
| 79 | <pre>$·sudo·rm·~/.shosts</pre> | 70 | <pre>$·sudo·rm·~/.shosts</pre> |
| 80 | </td> | 71 | </td> |
| 81 | </tr></table> | 72 | </tr></table> |
| 82 | <table><tr> | 73 | <table><tr> |
| 74 | <td>Remove·Host-Based·Authentication·Files</td> | ||
| 75 | <td·xml:lang="en-US">The·<code>shosts.equiv</code>·file·list·remote·hosts | ||
| 76 | and·users·that·are·trusted·by·the·local·system. | ||
| 77 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | ||
| 78 | location: | ||
| 79 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre> | ||
| 80 | </td> | ||
| 81 | </tr></table> | ||
| 82 | <table><tr> | ||
| 83 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> | 83 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> |
| 84 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | 84 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured |
| 85 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | 85 | to·change·its·root·directory·at·startup.·To·do·so,·ensure |
| 86 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | 86 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in |
| 87 | the·following·example·(which·is·also·the·default): | 87 | the·following·example·(which·is·also·the·default): |
| 88 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> | 88 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> |
| 89 | </td> | 89 | </td> |
| Offset 248, 28 lines modified | Offset 248, 28 lines modified | ||
| 248 | <table><tr> | 248 | <table><tr> |
| 249 | <td>Use·Kerberos·Security·on·All·Exports</td> | 249 | <td>Use·Kerberos·Security·on·All·Exports</td> |
| 250 | <td·xml:lang="en-US">Using·Kerberos·on·all·exported·mounts·prevents·a·malicious·client·or·user·from | 250 | <td·xml:lang="en-US">Using·Kerberos·on·all·exported·mounts·prevents·a·malicious·client·or·user·from |
| 251 | impersonating·a·system·user.·To·cryptography·authenticate·users·to·the·NFS·server, | 251 | impersonating·a·system·user.·To·cryptography·authenticate·users·to·the·NFS·server, |
| 252 | add·<code>sec=krb5:krb5i:krb5p</code>·to·each·export·in·<code>/etc/exports</code>.</td> | 252 | add·<code>sec=krb5:krb5i:krb5p</code>·to·each·export·in·<code>/etc/exports</code>.</td> |
| 253 | </tr></table> | 253 | </tr></table> |
| 254 | <table><tr> | 254 | <table><tr> |
| 255 | <td>Mount·Remote·Filesystems·with· | 255 | <td>Mount·Remote·Filesystems·with·noexec</td> |
| 256 | <td·xml:lang="en-US"> | 256 | <td·xml:lang="en-US"> |
| 257 | ·············· | 257 | ·············· |
| 258 | » Add·the·<code> | 258 | » Add·the·<code>noexec</code>·option·to·the·fourth·column·of |
| 259 | » <code>/etc/fstab</code>·for·the·line·which·controls·mounting·of | 259 | » <code>/etc/fstab</code>·for·the·line·which·controls·mounting·of |
| 260 | » any·NFS·mounts. | 260 | » any·NFS·mounts. |
| 261 | » | 261 | » |
| 262 | ············</td> | 262 | ············</td> |
| 263 | </tr></table> | 263 | </tr></table> |
| 264 | <table><tr> | 264 | <table><tr> |
| 265 | <td>Mount·Remote·Filesystems·with· | 265 | <td>Mount·Remote·Filesystems·with·Kerberos·Security</td> |
| 266 | <td·xml:lang="en-US"> | 266 | <td·xml:lang="en-US"> |
| 267 | ·············· | 267 | ·············· |
| 268 | » Add·the·<code> | 268 | » Add·the·<code>sec=krb5:krb5i:krb5p</code>·option·to·the·fourth·column·of |
| 269 | » <code>/etc/fstab</code>·for·the·line·which·controls·mounting·of | 269 | » <code>/etc/fstab</code>·for·the·line·which·controls·mounting·of |
| 270 | » any·NFS·mounts. | 270 | » any·NFS·mounts. |
| 271 | » | 271 | » |
| 272 | ············</td> | 272 | ············</td> |
| 273 | </tr></table> | 273 | </tr></table> |
| 274 | <table><tr> | 274 | <table><tr> |
| 275 | <td>Mount·Remote·Filesystems·with·nosuid</td> | 275 | <td>Mount·Remote·Filesystems·with·nosuid</td> |
| Offset 476, 33 lines modified | Offset 476, 50 lines modified | ||
| 476 | <br> | 476 | <br> |
| 477 | To·use·RELP·for·log·message·delivery: | 477 | To·use·RELP·for·log·message·delivery: |
| 478 | <pre>*.*·:omrelp:<i>loghost.example.com</i></pre> | 478 | <pre>*.*·:omrelp:<i>loghost.example.com</i></pre> |
| 479 | <br> | 479 | <br> |
| 480 | There·must·be·a·resolvable·DNS·CNAME·or·Alias·record·set·to·"<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="rsyslog_remote_loghost_address"></ns0:sub>"·for·logs·to·be·sent·correctly·to·the·centralized·logging·utility.</td> | 480 | There·must·be·a·resolvable·DNS·CNAME·or·Alias·record·set·to·"<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="rsyslog_remote_loghost_address"></ns0:sub>"·for·logs·to·be·sent·correctly·to·the·centralized·logging·utility.</td> |
| 481 | </tr></table> | 481 | </tr></table> |
| 482 | <table><tr> | 482 | <table><tr> |
| 483 | <td>Ensure·Logrotate·Runs·Periodically</td> | ||
| 484 | <td·xml:lang="en-US">The·<code>logrotate</code>·utility·allows·for·the·automatic·rotation·of· | ||
| 485 | log·files.··The·frequency·of·rotation·is·specified·in·<code>/etc/logrotate.conf</code>,· | ||
| 486 | which·triggers·a·cron·task.··To·configure·logrotate·to·run·daily,·add·or·correct· | ||
| 487 | the·following·line·in·<code>/etc/logrotate.conf</code>: | ||
| 488 | <pre>#·rotate·log·files·<i>frequency</i> | ||
| 489 | daily</pre> | ||
| 490 | </td> | ||
| 491 | </tr></table> | ||
| 492 | <table><tr> | ||
| 483 | <td>Ensure·cron·Is·Logging·To·Rsyslog</td> | 493 | <td>Ensure·cron·Is·Logging·To·Rsyslog</td> |
| 484 | <td·xml:lang="en-US">Cron·logging·must·be·implemented·to·spot·intrusions·or·trace | 494 | <td·xml:lang="en-US">Cron·logging·must·be·implemented·to·spot·intrusions·or·trace |
| 485 | cron·job·status.·If·<code>cron</code>·is·not·logging·to·<code>rsyslog</code>,·it | 495 | cron·job·status.·If·<code>cron</code>·is·not·logging·to·<code>rsyslog</code>,·it |
| 486 | can·be·implemented·by·adding·the·following·to·the·<i>RULES</i>·section·of | 496 | can·be·implemented·by·adding·the·following·to·the·<i>RULES</i>·section·of |
| 487 | <code>/etc/rsyslog.conf</code>: | 497 | <code>/etc/rsyslog.conf</code>: |
| 488 | <pre>cron.*··················································/var/log/cron</pre> | 498 | <pre>cron.*··················································/var/log/cron</pre> |
| 489 | </td> | 499 | </td> |
| 490 | </tr></table> | 500 | </tr></table> |
| 491 | <table><tr> | 501 | <table><tr> |
| 492 | <td> | 502 | <td>Set·Default·firewalld·Zone·for·Incoming·Packets</td> |
| 493 | <td·xml:lang="en-US">T | 503 | <td·xml:lang="en-US">To·set·the·default·zone·to·<code>drop</code>·for |
| 494 | 504 | the·built-in·default·zone·which·processes·incoming·IPv4·and·IPv6·packets, | |
| 495 | 505 | modify·the·following·line·in | |
| 496 | 506 | <code>/etc/firewalld/firewalld.conf</code>·to·be: | |
| 497 | <pre> | 507 | <pre>DefaultZone=drop</pre> |
| 498 | daily</pre> | ||
| 499 | </td> | 508 | </td> |
| 500 | </tr></table> | 509 | </tr></table> |
| 501 | <table><tr> | 510 | <table><tr> |
| 511 | <td>Verify·firewalld·Enabled</td> | ||
| 512 | <td·xml:lang="en-US"> | ||
| 513 | ·············· | ||
| 514 | ········The·<code>firewalld</code>·service·can·be·enabled·with·the·following·command: | ||
| 515 | ········<pre>$·sudo·systemctl·enable·firewalld.service</pre> | ||
| 516 | ············</td> | ||
| 517 | </tr></table> | ||
| 518 | <table><tr> | ||
| 502 | <td>Configure·Kernel·Parameter·for·Accepting·Source-Routed·Packets·for·Interfaces·By·Default</td> | 519 | <td>Configure·Kernel·Parameter·for·Accepting·Source-Routed·Packets·for·Interfaces·By·Default</td> |
| 503 | <td·xml:lang="en-US"> | 520 | <td·xml:lang="en-US"> |
| 504 | ················ | 521 | ················ |
| 505 | ····To·set·the·runtime·status·of·the·<code>net.ipv6.conf.default.accept_source_route</code>·kernel·parameter, | 522 | ····To·set·the·runtime·status·of·the·<code>net.ipv6.conf.default.accept_source_route</code>·kernel·parameter, |
| 506 | ····run·the·following·command: | 523 | ····run·the·following·command: |
| 507 | ····<pre·xml:space="preserve">$·sudo·sysctl·-w·net.ipv6.conf.default.accept_source_route=0</pre> | 524 | ····<pre·xml:space="preserve">$·sudo·sysctl·-w·net.ipv6.conf.default.accept_source_route=0</pre> |
| 508 | ····If·this·is·not·the·system's·default·value,·add·the·following·line·to·<code>/etc/sysctl.conf</code>: | 525 | ····If·this·is·not·the·system's·default·value,·add·the·following·line·to·<code>/etc/sysctl.conf</code>: |
| Offset 537, 105 lines modified | Offset 554, 88 lines modified | ||
| 537 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>,·and·add·or·correct | 554 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>,·and·add·or·correct |
| 538 | the·following·line·(substituting·your·gateway·IP·as·appropriate): | 555 | the·following·line·(substituting·your·gateway·IP·as·appropriate): |
| 539 | <pre>IPV6_DEFAULTGW=2001:0DB8::0001</pre> | 556 | <pre>IPV6_DEFAULTGW=2001:0DB8::0001</pre> |
| 540 | Router·addresses·should·be·manually·set·and·not·accepted·via·any | 557 | Router·addresses·should·be·manually·set·and·not·accepted·via·any |
| Max diff block lines reached; 960069/966337 bytes (99.35%) of diff not shown. | |||
| Offset 39, 44 lines modified | Offset 39, 44 lines modified | ||
| 39 | ·······assert: | 39 | ·······assert: |
| 40 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 40 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 41 | ·········msg:·> | 41 | ·········msg:·> |
| 42 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 42 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 43 | ·········· | 43 | ·········· |
| 44 | ···vars: | 44 | ···vars: |
| 45 | ······sshd_idle_timeout_value:·300 | 45 | ······sshd_idle_timeout_value:·300 |
| 46 | ······var_auditd_max_log_file:·1 | ||
| 47 | ······var_auditd_action_mail_acct:·admin | ||
| 48 | ······var_auditd_space_left_action:·suspend | ||
| 49 | ······var_auditd_admin_space_left_action:·suspend | ||
| 50 | ······var_auditd_max_log_file_action:·ignore | ||
| 46 | ······rsyslog_remote_loghost_address:·None | 51 | ······rsyslog_remote_loghost_address:·None |
| 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 52 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 53 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 54 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_ | 55 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 57 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 58 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_ | 59 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 56 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 60 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 61 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 58 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 62 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 59 | ······sysctl_net_ipv4_ | 63 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 60 | ······sysctl_net_ipv4_c | 64 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 65 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 61 | ······var_selinux_policy_name:·targeted | 66 | ······var_selinux_policy_name:·targeted |
| 62 | ······var_selinux_state:·enforcing | 67 | ······var_selinux_state:·enforcing |
| 63 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 64 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 65 | ······var_accounts_minimum_age_login_defs:·1 | 68 | ······var_accounts_minimum_age_login_defs:·1 |
| 69 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 70 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 66 | ······var_account_disable_post_pw_expiration:·35 | 71 | ······var_account_disable_post_pw_expiration:·35 |
| 67 | ······var_password_pam_unix_remember:·0 | 72 | ······var_password_pam_unix_remember:·0 |
| 68 | ······var_accounts_passwords_pam_faillock_deny:·3 | 73 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 69 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 74 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 70 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 75 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 71 | ······var_auditd_action_mail_acct:·admin | ||
| 72 | ······var_auditd_max_log_file:·1 | ||
| 73 | ······var_auditd_space_left_action:·suspend | ||
| 74 | ······var_auditd_admin_space_left_action:·suspend | ||
| 75 | ······var_auditd_max_log_file_action:·ignore | ||
| 76 | ······var_removable_partition:·/dev/cdrom | 76 | ······var_removable_partition:·/dev/cdrom |
| 77 | ······var_removable_partition:·/dev/cdrom | 77 | ······var_removable_partition:·/dev/cdrom |
| 78 | ······var_removable_partition:·/dev/cdrom | 78 | ······var_removable_partition:·/dev/cdrom |
| 79 | ···tasks: | 79 | ···tasks: |
| 80 | ····-·name:·Ensure·vsftpd·is·removed | 80 | ····-·name:·Ensure·vsftpd·is·removed |
| 81 | ······package: | 81 | ······package: |
| 82 | ········name="{{item}}" | 82 | ········name="{{item}}" |
| Offset 103, 29 lines modified | Offset 103, 14 lines modified | ||
| 103 | ········-·unknown_severity | 103 | ········-·unknown_severity |
| 104 | ········-·disable_strategy | 104 | ········-·disable_strategy |
| 105 | ········-·low_complexity | 105 | ········-·low_complexity |
| 106 | ········-·low_disruption | 106 | ········-·low_disruption |
| 107 | ········-·CCE-27133-8 | 107 | ········-·CCE-27133-8 |
| 108 | ········-·NIST-800-53-CM-7 | 108 | ········-·NIST-800-53-CM-7 |
| 109 | ···· | 109 | ···· |
| 110 | ····-·name:·Ensure·dhcp·is·removed | ||
| 111 | ······package: | ||
| 112 | ········name="{{item}}" | ||
| 113 | ········state=absent | ||
| 114 | ······with_items: | ||
| 115 | ········-·dhcp | ||
| 116 | ······tags: | ||
| 117 | ········-·package_dhcp_removed | ||
| 118 | ········-·medium_severity | ||
| 119 | ········-·disable_strategy | ||
| 120 | ········-·low_complexity | ||
| 121 | ········-·low_disruption | ||
| 122 | ········-·CCE-27120-5 | ||
| 123 | ········-·NIST-800-53-CM-7 | ||
| 124 | ···· | ||
| 125 | ····-·name:·Enable·service·ntpd | 110 | ····-·name:·Enable·service·ntpd |
| 126 | ······service: | 111 | ······service: |
| 127 | ········name="{{item}}" | 112 | ········name="{{item}}" |
| 128 | ········enabled="yes" | 113 | ········enabled="yes" |
| 129 | ········state="started" | 114 | ········state="started" |
| 130 | ······with_items: | 115 | ······with_items: |
| 131 | ········-·ntpd | 116 | ········-·ntpd |
| Offset 168, 65 lines modified | Offset 153, 14 lines modified | ||
| 168 | ········-·package_net-snmp_removed | 153 | ········-·package_net-snmp_removed |
| 169 | ········-·unknown_severity | 154 | ········-·unknown_severity |
| 170 | ········-·disable_strategy | 155 | ········-·disable_strategy |
| 171 | ········-·low_complexity | 156 | ········-·low_complexity |
| 172 | ········-·low_disruption | 157 | ········-·low_disruption |
| 173 | ········-·CCE-26332-7 | 158 | ········-·CCE-26332-7 |
| 174 | ···· | 159 | ···· |
| 175 | ····-·name:·Enable·service·crond | ||
| 176 | ······service: | ||
| 177 | ········name="{{item}}" | ||
| 178 | ········enabled="yes" | ||
| 179 | ········state="started" | ||
| 180 | ······with_items: | ||
| 181 | ········-·crond | ||
| 182 | ······tags: | ||
| 183 | ········-·service_crond_enabled | ||
| 184 | ········-·medium_severity | ||
| 185 | ········-·enable_strategy | ||
| 186 | ········-·low_complexity | ||
| 187 | ········-·low_disruption | ||
| 188 | ········-·CCE-27070-2 | ||
| 189 | ········-·NIST-800-53-CM-7 | ||
| 190 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 191 | ···· | ||
| 192 | ····-·name:·Disable·service·atd | ||
| 193 | ······service: | ||
| 194 | ········name="{{item}}" | ||
| 195 | ········enabled="no" | ||
| 196 | ········state="stopped" | ||
| 197 | ······register:·service_result | ||
| 198 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 199 | ······with_items: | ||
| 200 | ········-·atd | ||
| 201 | ······tags: | ||
| 202 | ········-·service_atd_disabled | ||
| 203 | ········-·unknown_severity | ||
| 204 | ········-·disable_strategy | ||
| 205 | ········-·low_complexity | ||
| 206 | ········-·low_disruption | ||
| 207 | ········-·CCE-27249-2 | ||
| 208 | ········-·NIST-800-53-CM-7 | ||
| 209 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 210 | ···· | ||
| 211 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| Max diff block lines reached; 80006/84947 bytes (94.18%) of diff not shown. | |||
| Offset 33, 31 lines modified | Offset 33, 31 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······rsyslog_remote_loghost_address:·None | 36 | ······rsyslog_remote_loghost_address:·None |
| 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 40 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_ | 44 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_ | 48 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 50 | ······sysctl_net_ipv4_c | 49 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 51 | ······var_selinux_policy_name:·targeted | 51 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 52 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·14 | 53 | ······var_accounts_password_minlen_login_defs:·14 |
| 54 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·1 | 54 | ······var_accounts_minimum_age_login_defs:·1 |
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_account_disable_post_pw_expiration:·35 | 57 | ······var_account_disable_post_pw_expiration:·35 |
| 58 | ······var_password_pam_unix_remember:·10 | 58 | ······var_password_pam_unix_remember:·10 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| Offset 207, 65 lines modified | Offset 207, 14 lines modified | ||
| 207 | ········-·service_snmpd_disabled | 207 | ········-·service_snmpd_disabled |
| 208 | ········-·unknown_severity | 208 | ········-·unknown_severity |
| 209 | ········-·disable_strategy | 209 | ········-·disable_strategy |
| 210 | ········-·low_complexity | 210 | ········-·low_complexity |
| 211 | ········-·low_disruption | 211 | ········-·low_disruption |
| 212 | ········-·CCE-26906-8 | 212 | ········-·CCE-26906-8 |
| 213 | ···· | 213 | ···· |
| 214 | ····-·name:·Enable·service·crond | ||
| 215 | ······service: | ||
| 216 | ········name="{{item}}" | ||
| 217 | ········enabled="yes" | ||
| 218 | ········state="started" | ||
| 219 | ······with_items: | ||
| 220 | ········-·crond | ||
| 221 | ······tags: | ||
| 222 | ········-·service_crond_enabled | ||
| 223 | ········-·medium_severity | ||
| 224 | ········-·enable_strategy | ||
| 225 | ········-·low_complexity | ||
| 226 | ········-·low_disruption | ||
| 227 | ········-·CCE-27070-2 | ||
| 228 | ········-·NIST-800-53-CM-7 | ||
| 229 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 230 | ···· | ||
| 231 | ····-·name:·Disable·service·atd | ||
| 232 | ······service: | ||
| 233 | ········name="{{item}}" | ||
| 234 | ········enabled="no" | ||
| 235 | ········state="stopped" | ||
| 236 | ······register:·service_result | ||
| 237 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 238 | ······with_items: | ||
| 239 | ········-·atd | ||
| 240 | ······tags: | ||
| 241 | ········-·service_atd_disabled | ||
| 242 | ········-·unknown_severity | ||
| 243 | ········-·disable_strategy | ||
| 244 | ········-·low_complexity | ||
| 245 | ········-·low_disruption | ||
| 246 | ········-·CCE-27249-2 | ||
| 247 | ········-·NIST-800-53-CM-7 | ||
| 248 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 249 | ···· | ||
| 250 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 251 | ······package: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········state=absent | ||
| 254 | ······with_items: | ||
| 255 | ········-·xorg-x11-server-common | ||
| 256 | ······tags: | ||
| 257 | ········-·package_xorg-x11-server-common_removed | ||
| 258 | ········-·unknown_severity | ||
| 259 | ········-·disable_strategy | ||
| 260 | ········-·low_complexity | ||
| 261 | ········-·low_disruption | ||
| 262 | ········-·CCE-27198-1 | ||
| 263 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 264 | ···· | ||
| 265 | ····-·name:·Ensure·rsh-server·is·removed | 214 | ····-·name:·Ensure·rsh-server·is·removed |
| 266 | ······package: | 215 | ······package: |
| 267 | ········name="{{item}}" | 216 | ········name="{{item}}" |
| 268 | ········state=absent | 217 | ········state=absent |
| 269 | ······with_items: | 218 | ······with_items: |
| 270 | ········-·rsh-server | 219 | ········-·rsh-server |
| 271 | ······tags: | 220 | ······tags: |
| Offset 420, 132 lines modified | Offset 369, 81 lines modified | ||
| 420 | ········-·disable_strategy | 369 | ········-·disable_strategy |
| 421 | ········-·low_complexity | 370 | ········-·low_complexity |
| 422 | ········-·low_disruption | 371 | ········-·low_disruption |
| 423 | ········-·CCE-27005-8 | 372 | ········-·CCE-27005-8 |
| 424 | ········-·NIST-800-53-CM-7 | 373 | ········-·NIST-800-53-CM-7 |
| 425 | ········-·DISA-STIG-RHEL-06-000204 | 374 | ········-·DISA-STIG-RHEL-06-000204 |
| 426 | ···· | 375 | ···· |
| 427 | ····-·name:· | 376 | ····-·name:·Ensure·xorg-x11-server-common·is·removed |
| 428 | ······ | 377 | ······package: |
| 429 | ········name="{{item}}" | ||
| 430 | ········enabled="no" | ||
| 431 | ········state="stopped" | ||
| 432 | ······register:·service_result | ||
| 433 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 434 | ······with_items: | ||
| 435 | ········-·rpcgssd | ||
| 436 | ······tags: | ||
| 437 | ········-·service_rpcgssd_disabled | ||
| 438 | ········-·unknown_severity | ||
| 439 | ········-·disable_strategy | ||
| 440 | ········-·low_complexity | ||
| 441 | ········-·low_disruption | ||
| 442 | ········-·CCE-26864-9 | ||
| 443 | ···· | ||
| 444 | ····-·name:·Disable·service·rpcidmapd | ||
| 445 | ······service: | ||
| Max diff block lines reached; 142861/148402 bytes (96.27%) of diff not shown. | |||
| Offset 34, 39 lines modified | Offset 34, 39 lines modified | ||
| 34 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. | 34 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. |
| 35 | ·······assert: | 35 | ·······assert: |
| 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 37 | ·········msg:·> | 37 | ·········msg:·> |
| 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 39 | ·········· | 39 | ·········· |
| 40 | ···vars: | 40 | ···vars: |
| 41 | ······var_auditd_max_log_file:·1 | ||
| 42 | ······var_auditd_action_mail_acct:·admin | ||
| 43 | ······var_auditd_space_left_action:·suspend | ||
| 44 | ······var_auditd_admin_space_left_action:·suspend | ||
| 45 | ······var_auditd_max_log_file_action:·keep_logs | ||
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 47 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 52 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 53 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 54 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_ | 55 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 52 | ······sysctl_net_ipv4_c | 56 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 57 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 53 | ······var_selinux_policy_name:·mls | 58 | ······var_selinux_policy_name:·mls |
| 54 | ······var_selinux_state:·enforcing | 59 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·12 | 60 | ······var_accounts_password_minlen_login_defs:·12 |
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_accounts_maximum_age_login_defs:·180 | 61 | ······var_accounts_maximum_age_login_defs:·180 |
| 62 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 58 | ······var_account_disable_post_pw_expiration:·35 | 63 | ······var_account_disable_post_pw_expiration:·35 |
| 59 | ······var_password_pam_unix_remember:·0 | 64 | ······var_password_pam_unix_remember:·0 |
| 60 | ······var_password_pam_retry:·3 | 65 | ······var_password_pam_retry:·3 |
| 61 | ······var_auditd_action_mail_acct:·admin | ||
| 62 | ······var_auditd_max_log_file:·1 | ||
| 63 | ······var_auditd_space_left_action:·suspend | ||
| 64 | ······var_auditd_admin_space_left_action:·suspend | ||
| 65 | ······var_auditd_max_log_file_action:·keep_logs | ||
| 66 | ···tasks: | 66 | ···tasks: |
| 67 | ····-·name:·Disable·service·vsftpd | 67 | ····-·name:·Disable·service·vsftpd |
| 68 | ······service: | 68 | ······service: |
| 69 | ········name="{{item}}" | 69 | ········name="{{item}}" |
| 70 | ········enabled="no" | 70 | ········enabled="no" |
| 71 | ········state="stopped" | 71 | ········state="stopped" |
| 72 | ······register:·service_result | 72 | ······register:·service_result |
| Offset 123, 47 lines modified | Offset 123, 14 lines modified | ||
| 123 | ········-·unknown_severity | 123 | ········-·unknown_severity |
| 124 | ········-·configure_strategy | 124 | ········-·configure_strategy |
| 125 | ········-·low_complexity | 125 | ········-·low_complexity |
| 126 | ········-·low_disruption | 126 | ········-·low_disruption |
| 127 | ········-·CCE-27316-9 | 127 | ········-·CCE-27316-9 |
| 128 | ········-·NIST-800-53-CM-7 | 128 | ········-·NIST-800-53-CM-7 |
| 129 | ···· | 129 | ···· |
| 130 | ····-·name:·Ensure·dhcp·is·removed | ||
| 131 | ······package: | ||
| 132 | ········name="{{item}}" | ||
| 133 | ········state=absent | ||
| 134 | ······with_items: | ||
| 135 | ········-·dhcp | ||
| 136 | ······tags: | ||
| 137 | ········-·package_dhcp_removed | ||
| 138 | ········-·medium_severity | ||
| 139 | ········-·disable_strategy | ||
| 140 | ········-·low_complexity | ||
| 141 | ········-·low_disruption | ||
| 142 | ········-·CCE-27120-5 | ||
| 143 | ········-·NIST-800-53-CM-7 | ||
| 144 | ···· | ||
| 145 | ····-·name:·Disable·service·dhcpd | ||
| 146 | ······service: | ||
| 147 | ········name="{{item}}" | ||
| 148 | ········enabled="no" | ||
| 149 | ········state="stopped" | ||
| 150 | ······register:·service_result | ||
| 151 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 152 | ······with_items: | ||
| 153 | ········-·dhcpd | ||
| 154 | ······tags: | ||
| 155 | ········-·service_dhcpd_disabled | ||
| 156 | ········-·medium_severity | ||
| 157 | ········-·disable_strategy | ||
| 158 | ········-·low_complexity | ||
| 159 | ········-·low_disruption | ||
| 160 | ········-·CCE-27074-4 | ||
| 161 | ········-·NIST-800-53-CM-7 | ||
| 162 | ···· | ||
| 163 | ····-·name:·Enable·service·ntpd | 130 | ····-·name:·Enable·service·ntpd |
| 164 | ······service: | 131 | ······service: |
| 165 | ········name="{{item}}" | 132 | ········name="{{item}}" |
| 166 | ········enabled="yes" | 133 | ········enabled="yes" |
| 167 | ········state="started" | 134 | ········state="started" |
| 168 | ······with_items: | 135 | ······with_items: |
| 169 | ········-·ntpd | 136 | ········-·ntpd |
| Offset 192, 50 lines modified | Offset 159, 14 lines modified | ||
| 192 | ········-·unknown_severity | 159 | ········-·unknown_severity |
| 193 | ········-·disable_strategy | 160 | ········-·disable_strategy |
| 194 | ········-·low_complexity | 161 | ········-·low_complexity |
| 195 | ········-·low_disruption | 162 | ········-·low_disruption |
| 196 | ········-·CCE-26899-5 | 163 | ········-·CCE-26899-5 |
| 197 | ········-·NIST-800-53-CM-7 | 164 | ········-·NIST-800-53-CM-7 |
| 198 | ···· | 165 | ···· |
| 199 | ····-·name:·Enable·service·crond | ||
| 200 | ······service: | ||
| 201 | ········name="{{item}}" | ||
| 202 | ········enabled="yes" | ||
| 203 | ········state="started" | ||
| 204 | ······with_items: | ||
| 205 | ········-·crond | ||
| 206 | ······tags: | ||
| 207 | ········-·service_crond_enabled | ||
| 208 | ········-·medium_severity | ||
| 209 | ········-·enable_strategy | ||
| 210 | ········-·low_complexity | ||
| 211 | ········-·low_disruption | ||
| 212 | ········-·CCE-27070-2 | ||
| 213 | ········-·NIST-800-53-CM-7 | ||
| 214 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 215 | ···· | ||
| 216 | ····-·name:·Disable·service·atd | ||
| 217 | ······service: | ||
| 218 | ········name="{{item}}" | ||
| 219 | ········enabled="no" | ||
| 220 | ········state="stopped" | ||
| 221 | ······register:·service_result | ||
| 222 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 223 | ······with_items: | ||
| Max diff block lines reached; 102912/107604 bytes (95.64%) of diff not shown. | |||
| Offset 31, 43 lines modified | Offset 31, 43 lines modified | ||
| 31 | ·······assert: | 31 | ·······assert: |
| 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 33 | ·········msg:·> | 33 | ·········msg:·> |
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······var_auditd_max_log_file:·6 | ||
| 39 | ······var_auditd_admin_space_left_action:·single | ||
| 40 | ······var_auditd_max_log_file_action:·rotate | ||
| 38 | ······rsyslog_remote_loghost_address:·None | 41 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 44 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 51 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_c | 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 54 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 52 | ······var_selinux_policy_name:·targeted | 55 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 56 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 57 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | 58 | ······var_accounts_minimum_age_login_defs:·7 |
| 59 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 60 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 61 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 62 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 63 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 64 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 65 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 66 | ······var_accounts_tmout:·600 |
| 64 | ······var_auditd_max_log_file:·6 | ||
| 65 | ······var_auditd_admin_space_left_action:·single | ||
| 66 | ······var_auditd_max_log_file_action:·rotate | ||
| 67 | ······var_removable_partition:·/dev/cdrom | 67 | ······var_removable_partition:·/dev/cdrom |
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Disable·service·vsftpd | 69 | ····-·name:·Disable·service·vsftpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="no" | 72 | ········enabled="no" |
| 73 | ········state="stopped" | 73 | ········state="stopped" |
| Offset 128, 47 lines modified | Offset 128, 14 lines modified | ||
| 128 | ········-·unknown_severity | 128 | ········-·unknown_severity |
| 129 | ········-·disable_strategy | 129 | ········-·disable_strategy |
| 130 | ········-·low_complexity | 130 | ········-·low_complexity |
| 131 | ········-·low_disruption | 131 | ········-·low_disruption |
| 132 | ········-·CCE-27133-8 | 132 | ········-·CCE-27133-8 |
| 133 | ········-·NIST-800-53-CM-7 | 133 | ········-·NIST-800-53-CM-7 |
| 134 | ···· | 134 | ···· |
| 135 | ····-·name:·Ensure·dhcp·is·removed | ||
| 136 | ······package: | ||
| 137 | ········name="{{item}}" | ||
| 138 | ········state=absent | ||
| 139 | ······with_items: | ||
| 140 | ········-·dhcp | ||
| 141 | ······tags: | ||
| 142 | ········-·package_dhcp_removed | ||
| 143 | ········-·medium_severity | ||
| 144 | ········-·disable_strategy | ||
| 145 | ········-·low_complexity | ||
| 146 | ········-·low_disruption | ||
| 147 | ········-·CCE-27120-5 | ||
| 148 | ········-·NIST-800-53-CM-7 | ||
| 149 | ···· | ||
| 150 | ····-·name:·Disable·service·dhcpd | ||
| 151 | ······service: | ||
| 152 | ········name="{{item}}" | ||
| 153 | ········enabled="no" | ||
| 154 | ········state="stopped" | ||
| 155 | ······register:·service_result | ||
| 156 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 157 | ······with_items: | ||
| 158 | ········-·dhcpd | ||
| 159 | ······tags: | ||
| 160 | ········-·service_dhcpd_disabled | ||
| 161 | ········-·medium_severity | ||
| 162 | ········-·disable_strategy | ||
| 163 | ········-·low_complexity | ||
| 164 | ········-·low_disruption | ||
| 165 | ········-·CCE-27074-4 | ||
| 166 | ········-·NIST-800-53-CM-7 | ||
| 167 | ···· | ||
| 168 | ····-·name:·Enable·service·ntpd | 135 | ····-·name:·Enable·service·ntpd |
| 169 | ······service: | 136 | ······service: |
| 170 | ········name="{{item}}" | 137 | ········name="{{item}}" |
| 171 | ········enabled="yes" | 138 | ········enabled="yes" |
| 172 | ········state="started" | 139 | ········state="started" |
| 173 | ······with_items: | 140 | ······with_items: |
| 174 | ········-·ntpd | 141 | ········-·ntpd |
| Offset 210, 50 lines modified | Offset 177, 14 lines modified | ||
| 210 | ········-·service_snmpd_disabled | 177 | ········-·service_snmpd_disabled |
| 211 | ········-·unknown_severity | 178 | ········-·unknown_severity |
| 212 | ········-·disable_strategy | 179 | ········-·disable_strategy |
| 213 | ········-·low_complexity | 180 | ········-·low_complexity |
| 214 | ········-·low_disruption | 181 | ········-·low_disruption |
| 215 | ········-·CCE-26906-8 | 182 | ········-·CCE-26906-8 |
| 216 | ···· | 183 | ···· |
| 217 | ····-·name:·Enable·service·crond | ||
| 218 | ······service: | ||
| 219 | ········name="{{item}}" | ||
| 220 | ········enabled="yes" | ||
| 221 | ········state="started" | ||
| 222 | ······with_items: | ||
| 223 | ········-·crond | ||
| 224 | ······tags: | ||
| 225 | ········-·service_crond_enabled | ||
| 226 | ········-·medium_severity | ||
| 227 | ········-·enable_strategy | ||
| 228 | ········-·low_complexity | ||
| 229 | ········-·low_disruption | ||
| 230 | ········-·CCE-27070-2 | ||
| 231 | ········-·NIST-800-53-CM-7 | ||
| 232 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 233 | ···· | ||
| 234 | ····-·name:·Disable·service·atd | ||
| 235 | ······service: | ||
| 236 | ········name="{{item}}" | ||
| 237 | ········enabled="no" | ||
| 238 | ········state="stopped" | ||
| Max diff block lines reached; 120474/125324 bytes (96.13%) of diff not shown. | |||
| Offset 29, 46 lines modified | Offset 29, 46 lines modified | ||
| 29 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. | 29 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. |
| 30 | ·······assert: | 30 | ·······assert: |
| 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······var_auditd_max_log_file:·1 | ||
| 37 | ······var_auditd_action_mail_acct:·admin | ||
| 38 | ······var_auditd_space_left_action:·suspend | ||
| 39 | ······var_auditd_admin_space_left_action:·halt | ||
| 40 | ······var_auditd_max_log_file_action:·ignore | ||
| 36 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 41 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 37 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 38 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 39 | ······sysctl_net_ipv4_icmp_ | 44 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 45 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 47 | ······sysctl_net_ipv4_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 48 | ······sysctl_net_ipv4_c | 52 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 53 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 49 | ······var_selinux_policy_name:·targeted | 54 | ······var_selinux_policy_name:·targeted |
| 50 | ······var_selinux_state:·enforcing | 55 | ······var_selinux_state:·enforcing |
| 51 | ······var_accounts_password_minlen_login_defs:·12 | 56 | ······var_accounts_password_minlen_login_defs:·12 |
| 52 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 53 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 54 | ······var_accounts_minimum_age_login_defs:·1 | 57 | ······var_accounts_minimum_age_login_defs:·1 |
| 58 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 59 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 55 | ······var_account_disable_post_pw_expiration:·90 | 60 | ······var_account_disable_post_pw_expiration:·90 |
| 56 | ······var_password_pam_unix_remember:·24 | 61 | ······var_password_pam_unix_remember:·24 |
| 57 | ······var_accounts_passwords_pam_faillock_deny:·3 | 62 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 58 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 63 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 59 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 64 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 60 | ······var_password_pam_maxrepeat:·3 | 65 | ······var_password_pam_maxrepeat:·3 |
| 61 | ······var_password_pam_retry:·3 | 66 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_max_concurrent_login_sessions:·1 | 67 | ······var_accounts_max_concurrent_login_sessions:·1 |
| 63 | ······var_auditd_action_mail_acct:·admin | ||
| 64 | ······var_auditd_max_log_file:·1 | ||
| 65 | ······var_auditd_space_left_action:·suspend | ||
| 66 | ······var_auditd_admin_space_left_action:·halt | ||
| 67 | ······var_auditd_max_log_file_action:·ignore | ||
| 68 | ······var_removable_partition:·/dev/cdrom | 68 | ······var_removable_partition:·/dev/cdrom |
| 69 | ······var_removable_partition:·/dev/cdrom | 69 | ······var_removable_partition:·/dev/cdrom |
| 70 | ······var_removable_partition:·/dev/cdrom | 70 | ······var_removable_partition:·/dev/cdrom |
| 71 | ···tasks: | 71 | ···tasks: |
| 72 | ····-·name:·Enable·service·ntpd | 72 | ····-·name:·Enable·service·ntpd |
| 73 | ······service: | 73 | ······service: |
| 74 | ········name="{{item}}" | 74 | ········name="{{item}}" |
| Offset 83, 50 lines modified | Offset 83, 14 lines modified | ||
| 83 | ········-·low_complexity | 83 | ········-·low_complexity |
| 84 | ········-·low_disruption | 84 | ········-·low_disruption |
| 85 | ········-·CCE-27093-4 | 85 | ········-·CCE-27093-4 |
| 86 | ········-·NIST-800-53-AU-8(1) | 86 | ········-·NIST-800-53-AU-8(1) |
| 87 | ········-·PCI-DSS-Req-10.4 | 87 | ········-·PCI-DSS-Req-10.4 |
| 88 | ········-·DISA-STIG-RHEL-06-000247 | 88 | ········-·DISA-STIG-RHEL-06-000247 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·Enable·service·crond | ||
| 91 | ······service: | ||
| 92 | ········name="{{item}}" | ||
| 93 | ········enabled="yes" | ||
| 94 | ········state="started" | ||
| 95 | ······with_items: | ||
| 96 | ········-·crond | ||
| 97 | ······tags: | ||
| 98 | ········-·service_crond_enabled | ||
| 99 | ········-·medium_severity | ||
| 100 | ········-·enable_strategy | ||
| 101 | ········-·low_complexity | ||
| 102 | ········-·low_disruption | ||
| 103 | ········-·CCE-27070-2 | ||
| 104 | ········-·NIST-800-53-CM-7 | ||
| 105 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 106 | ···· | ||
| 107 | ····-·name:·Disable·service·atd | ||
| 108 | ······service: | ||
| 109 | ········name="{{item}}" | ||
| 110 | ········enabled="no" | ||
| 111 | ········state="stopped" | ||
| 112 | ······register:·service_result | ||
| 113 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 114 | ······with_items: | ||
| 115 | ········-·atd | ||
| 116 | ······tags: | ||
| 117 | ········-·service_atd_disabled | ||
| 118 | ········-·unknown_severity | ||
| 119 | ········-·disable_strategy | ||
| 120 | ········-·low_complexity | ||
| 121 | ········-·low_disruption | ||
| 122 | ········-·CCE-27249-2 | ||
| 123 | ········-·NIST-800-53-CM-7 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 125 | ···· | ||
| 126 | ····-·name:·Ensure·rsh·is·removed | 90 | ····-·name:·Ensure·rsh·is·removed |
| 127 | ······package: | 91 | ······package: |
| 128 | ········name="{{item}}" | 92 | ········name="{{item}}" |
| 129 | ········state=absent | 93 | ········state=absent |
| 130 | ······with_items: | 94 | ······with_items: |
| 131 | ········-·rsh | 95 | ········-·rsh |
| 132 | ······tags: | 96 | ······tags: |
| Offset 279, 30 lines modified | Offset 243, 66 lines modified | ||
| 279 | ········-·disable_strategy | 243 | ········-·disable_strategy |
| 280 | ········-·low_complexity | 244 | ········-·low_complexity |
| 281 | ········-·low_disruption | 245 | ········-·low_disruption |
| 282 | ········-·CCE-27005-8 | 246 | ········-·CCE-27005-8 |
| 283 | ········-·NIST-800-53-CM-7 | 247 | ········-·NIST-800-53-CM-7 |
| 284 | ········-·DISA-STIG-RHEL-06-000204 | 248 | ········-·DISA-STIG-RHEL-06-000204 |
| 285 | ···· | 249 | ···· |
| 286 | ····-·name:· | 250 | ····-·name:·Enable·service·crond |
| 251 | ······service: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········enabled="yes" | ||
| 254 | ········state="started" | ||
| 255 | ······with_items: | ||
| 256 | ········-·crond | ||
| 257 | ······tags: | ||
| 258 | ········-·service_crond_enabled | ||
| 259 | ········-·medium_severity | ||
| 260 | ········-·enable_strategy | ||
| 261 | ········-·low_complexity | ||
| 262 | ········-·low_disruption | ||
| 263 | ········-·CCE-27070-2 | ||
| Max diff block lines reached; 114846/119591 bytes (96.03%) of diff not shown. | |||
| Offset 30, 43 lines modified | Offset 30, 43 lines modified | ||
| 30 | ·······assert: | 30 | ·······assert: |
| 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······var_auditd_max_log_file:·6 | ||
| 38 | ······var_auditd_admin_space_left_action:·single | ||
| 39 | ······var_auditd_max_log_file_action:·rotate | ||
| 37 | ······rsyslog_remote_loghost_address:·None | 40 | ······rsyslog_remote_loghost_address:·None |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 43 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 45 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_ | 47 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 50 | ······sysctl_net_ipv4_c | 52 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 53 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 51 | ······var_selinux_policy_name:·targeted | 54 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 55 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·15 | 56 | ······var_accounts_password_minlen_login_defs:·15 |
| 54 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·7 | 57 | ······var_accounts_minimum_age_login_defs:·7 |
| 58 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 59 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_password_pam_unix_remember:·5 | 60 | ······var_password_pam_unix_remember:·5 |
| 58 | ······var_accounts_passwords_pam_faillock_deny:·3 | 61 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 59 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 62 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 60 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 63 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 61 | ······var_password_pam_retry:·3 | 64 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_tmout:·600 | 65 | ······var_accounts_tmout:·600 |
| 63 | ······var_auditd_max_log_file:·6 | ||
| 64 | ······var_auditd_admin_space_left_action:·single | ||
| 65 | ······var_auditd_max_log_file_action:·rotate | ||
| 66 | ······var_removable_partition:·/dev/cdrom | 66 | ······var_removable_partition:·/dev/cdrom |
| 67 | ···tasks: | 67 | ···tasks: |
| 68 | ····-·name:·Ensure·vsftpd·is·installed | 68 | ····-·name:·Ensure·vsftpd·is·installed |
| 69 | ······package: | 69 | ······package: |
| 70 | ········name="{{item}}" | 70 | ········name="{{item}}" |
| 71 | ········state=present | 71 | ········state=present |
| 72 | ······with_items: | 72 | ······with_items: |
| Offset 94, 65 lines modified | Offset 94, 14 lines modified | ||
| 94 | ········-·low_complexity | 94 | ········-·low_complexity |
| 95 | ········-·low_disruption | 95 | ········-·low_disruption |
| 96 | ········-·CCE-27093-4 | 96 | ········-·CCE-27093-4 |
| 97 | ········-·NIST-800-53-AU-8(1) | 97 | ········-·NIST-800-53-AU-8(1) |
| 98 | ········-·PCI-DSS-Req-10.4 | 98 | ········-·PCI-DSS-Req-10.4 |
| 99 | ········-·DISA-STIG-RHEL-06-000247 | 99 | ········-·DISA-STIG-RHEL-06-000247 |
| 100 | ···· | 100 | ···· |
| 101 | ····-·name:·Enable·service·crond | ||
| 102 | ······service: | ||
| 103 | ········name="{{item}}" | ||
| 104 | ········enabled="yes" | ||
| 105 | ········state="started" | ||
| 106 | ······with_items: | ||
| 107 | ········-·crond | ||
| 108 | ······tags: | ||
| 109 | ········-·service_crond_enabled | ||
| 110 | ········-·medium_severity | ||
| 111 | ········-·enable_strategy | ||
| 112 | ········-·low_complexity | ||
| 113 | ········-·low_disruption | ||
| 114 | ········-·CCE-27070-2 | ||
| 115 | ········-·NIST-800-53-CM-7 | ||
| 116 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 117 | ···· | ||
| 118 | ····-·name:·Disable·service·atd | ||
| 119 | ······service: | ||
| 120 | ········name="{{item}}" | ||
| 121 | ········enabled="no" | ||
| 122 | ········state="stopped" | ||
| 123 | ······register:·service_result | ||
| 124 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 125 | ······with_items: | ||
| 126 | ········-·atd | ||
| 127 | ······tags: | ||
| 128 | ········-·service_atd_disabled | ||
| 129 | ········-·unknown_severity | ||
| 130 | ········-·disable_strategy | ||
| 131 | ········-·low_complexity | ||
| 132 | ········-·low_disruption | ||
| 133 | ········-·CCE-27249-2 | ||
| 134 | ········-·NIST-800-53-CM-7 | ||
| 135 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 136 | ···· | ||
| 137 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 138 | ······package: | ||
| 139 | ········name="{{item}}" | ||
| 140 | ········state=absent | ||
| 141 | ······with_items: | ||
| 142 | ········-·xorg-x11-server-common | ||
| 143 | ······tags: | ||
| 144 | ········-·package_xorg-x11-server-common_removed | ||
| 145 | ········-·unknown_severity | ||
| 146 | ········-·disable_strategy | ||
| 147 | ········-·low_complexity | ||
| 148 | ········-·low_disruption | ||
| 149 | ········-·CCE-27198-1 | ||
| 150 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 151 | ···· | ||
| 152 | ····-·name:·Ensure·rsh-server·is·removed | 101 | ····-·name:·Ensure·rsh-server·is·removed |
| 153 | ······package: | 102 | ······package: |
| 154 | ········name="{{item}}" | 103 | ········name="{{item}}" |
| 155 | ········state=absent | 104 | ········state=absent |
| 156 | ······with_items: | 105 | ······with_items: |
| 157 | ········-·rsh-server | 106 | ········-·rsh-server |
| 158 | ······tags: | 107 | ······tags: |
| Offset 307, 14 lines modified | Offset 256, 81 lines modified | ||
| 307 | ········-·disable_strategy | 256 | ········-·disable_strategy |
| 308 | ········-·low_complexity | 257 | ········-·low_complexity |
| 309 | ········-·low_disruption | 258 | ········-·low_disruption |
| 310 | ········-·CCE-27005-8 | 259 | ········-·CCE-27005-8 |
| 311 | ········-·NIST-800-53-CM-7 | 260 | ········-·NIST-800-53-CM-7 |
| 312 | ········-·DISA-STIG-RHEL-06-000204 | 261 | ········-·DISA-STIG-RHEL-06-000204 |
| 313 | ···· | 262 | ···· |
| 263 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 264 | ······package: | ||
| 265 | ········name="{{item}}" | ||
| 266 | ········state=absent | ||
| Max diff block lines reached; 103453/109628 bytes (94.37%) of diff not shown. | |||
| Offset 34, 47 lines modified | Offset 34, 47 lines modified | ||
| 34 | ·······assert: | 34 | ·······assert: |
| 35 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 35 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 36 | ·········msg:·> | 36 | ·········msg:·> |
| 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·300 | 40 | ······sshd_idle_timeout_value:·300 |
| 41 | ······var_auditd_max_log_file:·6 | ||
| 42 | ······var_auditd_action_mail_acct:·admin | ||
| 43 | ······var_auditd_space_left_action:·suspend | ||
| 44 | ······var_auditd_admin_space_left_action:·single | ||
| 45 | ······var_auditd_max_log_file_action:·rotate | ||
| 41 | ······rsyslog_remote_loghost_address:·None | 46 | ······rsyslog_remote_loghost_address:·None |
| 42 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_ | 54 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 55 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 56 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 57 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 54 | ······sysctl_net_ipv4_ | 58 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 55 | ······sysctl_net_ipv4_c | 59 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 60 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 56 | ······var_selinux_policy_name:·targeted | 61 | ······var_selinux_policy_name:·targeted |
| 57 | ······var_selinux_state:·enforcing | 62 | ······var_selinux_state:·enforcing |
| 58 | ······var_accounts_password_minlen_login_defs:·15 | 63 | ······var_accounts_password_minlen_login_defs:·15 |
| 59 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_minimum_age_login_defs:·7 | 64 | ······var_accounts_minimum_age_login_defs:·7 |
| 65 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 66 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 62 | ······var_account_disable_post_pw_expiration:·40 | 67 | ······var_account_disable_post_pw_expiration:·40 |
| 63 | ······var_password_pam_unix_remember:·5 | 68 | ······var_password_pam_unix_remember:·5 |
| 64 | ······var_accounts_passwords_pam_faillock_deny:·3 | 69 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 65 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 | 70 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 |
| 66 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 71 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 67 | ······var_password_pam_retry:·3 | 72 | ······var_password_pam_retry:·3 |
| 68 | ······var_accounts_tmout:·600 | 73 | ······var_accounts_tmout:·600 |
| 69 | ······var_auditd_action_mail_acct:·admin | ||
| 70 | ······var_auditd_max_log_file:·6 | ||
| 71 | ······var_auditd_space_left_action:·suspend | ||
| 72 | ······var_auditd_admin_space_left_action:·single | ||
| 73 | ······var_auditd_max_log_file_action:·rotate | ||
| 74 | ······var_removable_partition:·/dev/cdrom | 74 | ······var_removable_partition:·/dev/cdrom |
| 75 | ······var_removable_partition:·/dev/cdrom | 75 | ······var_removable_partition:·/dev/cdrom |
| 76 | ······var_removable_partition:·/dev/cdrom | 76 | ······var_removable_partition:·/dev/cdrom |
| 77 | ···tasks: | 77 | ···tasks: |
| 78 | ····-·name:·Ensure·vsftpd·is·removed | 78 | ····-·name:·Ensure·vsftpd·is·removed |
| 79 | ······package: | 79 | ······package: |
| 80 | ········name="{{item}}" | 80 | ········name="{{item}}" |
| Offset 119, 47 lines modified | Offset 119, 14 lines modified | ||
| 119 | ········-·unknown_severity | 119 | ········-·unknown_severity |
| 120 | ········-·disable_strategy | 120 | ········-·disable_strategy |
| 121 | ········-·low_complexity | 121 | ········-·low_complexity |
| 122 | ········-·low_disruption | 122 | ········-·low_disruption |
| 123 | ········-·CCE-27133-8 | 123 | ········-·CCE-27133-8 |
| 124 | ········-·NIST-800-53-CM-7 | 124 | ········-·NIST-800-53-CM-7 |
| 125 | ···· | 125 | ···· |
| 126 | ····-·name:·Ensure·dhcp·is·removed | ||
| 127 | ······package: | ||
| 128 | ········name="{{item}}" | ||
| 129 | ········state=absent | ||
| 130 | ······with_items: | ||
| 131 | ········-·dhcp | ||
| 132 | ······tags: | ||
| 133 | ········-·package_dhcp_removed | ||
| 134 | ········-·medium_severity | ||
| 135 | ········-·disable_strategy | ||
| 136 | ········-·low_complexity | ||
| 137 | ········-·low_disruption | ||
| 138 | ········-·CCE-27120-5 | ||
| 139 | ········-·NIST-800-53-CM-7 | ||
| 140 | ···· | ||
| 141 | ····-·name:·Disable·service·dhcpd | ||
| 142 | ······service: | ||
| 143 | ········name="{{item}}" | ||
| 144 | ········enabled="no" | ||
| 145 | ········state="stopped" | ||
| 146 | ······register:·service_result | ||
| 147 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 148 | ······with_items: | ||
| 149 | ········-·dhcpd | ||
| 150 | ······tags: | ||
| 151 | ········-·service_dhcpd_disabled | ||
| 152 | ········-·medium_severity | ||
| 153 | ········-·disable_strategy | ||
| 154 | ········-·low_complexity | ||
| 155 | ········-·low_disruption | ||
| 156 | ········-·CCE-27074-4 | ||
| 157 | ········-·NIST-800-53-CM-7 | ||
| 158 | ···· | ||
| 159 | ····-·name:·Enable·service·ntpd | 126 | ····-·name:·Enable·service·ntpd |
| 160 | ······service: | 127 | ······service: |
| 161 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 162 | ········enabled="yes" | 129 | ········enabled="yes" |
| 163 | ········state="started" | 130 | ········state="started" |
| 164 | ······with_items: | 131 | ······with_items: |
| 165 | ········-·ntpd | 132 | ········-·ntpd |
| Offset 188, 50 lines modified | Offset 155, 14 lines modified | ||
| 188 | ········-·unknown_severity | 155 | ········-·unknown_severity |
| 189 | ········-·disable_strategy | 156 | ········-·disable_strategy |
| 190 | ········-·low_complexity | 157 | ········-·low_complexity |
| 191 | ········-·low_disruption | 158 | ········-·low_disruption |
| 192 | ········-·CCE-26899-5 | 159 | ········-·CCE-26899-5 |
| 193 | ········-·NIST-800-53-CM-7 | 160 | ········-·NIST-800-53-CM-7 |
| 194 | ···· | 161 | ···· |
| 195 | ····-·name:·Enable·service·crond | ||
| 196 | ······service: | ||
| 197 | ········name="{{item}}" | ||
| 198 | ········enabled="yes" | ||
| 199 | ········state="started" | ||
| 200 | ······with_items: | ||
| 201 | ········-·crond | ||
| 202 | ······tags: | ||
| 203 | ········-·service_crond_enabled | ||
| 204 | ········-·medium_severity | ||
| 205 | ········-·enable_strategy | ||
| 206 | ········-·low_complexity | ||
| 207 | ········-·low_disruption | ||
| 208 | ········-·CCE-27070-2 | ||
| 209 | ········-·NIST-800-53-CM-7 | ||
| 210 | ········-·DISA-STIG-RHEL-06-000224 | ||
| Max diff block lines reached; 142180/147328 bytes (96.51%) of diff not shown. | |||
| Offset 30, 26 lines modified | Offset 30, 26 lines modified | ||
| 30 | ·······assert: | 30 | ·······assert: |
| 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·900 | 36 | ······sshd_idle_timeout_value:·900 |
| 37 | ······var_auditd_max_log_file:·1 | ||
| 38 | ······var_auditd_action_mail_acct:·admin | ||
| 39 | ······var_auditd_space_left_action:·suspend | ||
| 40 | ······var_auditd_admin_space_left_action:·suspend | ||
| 41 | ······var_auditd_max_log_file_action:·ignore | ||
| 37 | ······var_accounts_maximum_age_login_defs:·90 | 42 | ······var_accounts_maximum_age_login_defs:·90 |
| 38 | ······var_account_disable_post_pw_expiration:·90 | 43 | ······var_account_disable_post_pw_expiration:·90 |
| 39 | ······var_password_pam_unix_remember:·4 | 44 | ······var_password_pam_unix_remember:·4 |
| 40 | ······var_accounts_passwords_pam_faillock_deny:·6 | 45 | ······var_accounts_passwords_pam_faillock_deny:·6 |
| 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 | 46 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 |
| 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 47 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 43 | ······var_password_pam_minlen:·7 | 48 | ······var_password_pam_minlen:·7 |
| 44 | ······var_auditd_action_mail_acct:·admin | ||
| 45 | ······var_auditd_max_log_file:·1 | ||
| 46 | ······var_auditd_space_left_action:·suspend | ||
| 47 | ······var_auditd_admin_space_left_action:·suspend | ||
| 48 | ······var_auditd_max_log_file_action:·ignore | ||
| 49 | ···tasks: | 49 | ···tasks: |
| 50 | ····-·name:·Enable·service·ntpd | 50 | ····-·name:·Enable·service·ntpd |
| 51 | ······service: | 51 | ······service: |
| 52 | ········name="{{item}}" | 52 | ········name="{{item}}" |
| 53 | ········enabled="yes" | 53 | ········enabled="yes" |
| 54 | ········state="started" | 54 | ········state="started" |
| 55 | ······with_items: | 55 | ······with_items: |
| Offset 83, 723 lines modified | Offset 83, 34 lines modified | ||
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-26919-1 | 84 | ········-·CCE-26919-1 |
| 85 | ········-·NIST-800-53-AC-2(5) | 85 | ········-·NIST-800-53-AC-2(5) |
| 86 | ········-·NIST-800-53-SA-8 | 86 | ········-·NIST-800-53-SA-8 |
| 87 | ········-·PCI-DSS-Req-8.1.8 | 87 | ········-·PCI-DSS-Req-8.1.8 |
| 88 | ········-·DISA-STIG-RHEL-06-000230 | 88 | ········-·DISA-STIG-RHEL-06-000230 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·"Read·list·of·files·with·incorrect·permissions" | ||
| 91 | ······shell:·"rpm·-Va·|·grep·'^.M'·|·cut·-d·'·'·-f5-·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 92 | ······register:·files_with_incorrect_permissions | ||
| 93 | ······failed_when:·False | ||
| 94 | ······changed_when:·False | ||
| 95 | ······check_mode:·no | ||
| 96 | ······tags: | ||
| 97 | ········-·rpm_verify_permissions | ||
| 98 | ········-·unknown_severity | ||
| 99 | ········-·restrict_strategy | ||
| 100 | ········-·high_complexity | ||
| 101 | ········-·medium_disruption | ||
| 102 | ········-·CCE-26731-0 | ||
| 103 | ········-·NIST-800-53-AC-6 | ||
| 104 | ········-·NIST-800-53-CM-6(d) | ||
| 105 | ········-·NIST-800-53-SI-7 | ||
| 106 | ········-·PCI-DSS-Req-11.5 | ||
| 107 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 108 | ···· | ||
| 109 | ····-·name:·"Correct·file·permissions·with·RPM" | ||
| 110 | ······shell:·"rpm·--setperms·$(rpm·-qf·'{{item}}')" | ||
| 111 | ······with_items:·"{{·files_with_incorrect_permissions.stdout_lines·}}" | ||
| 112 | ······when:·files_with_incorrect_permissions.stdout_lines·|·length·>·0 | ||
| 113 | ······tags: | ||
| 114 | ········-·rpm_verify_permissions | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·restrict_strategy | ||
| 117 | ········-·high_complexity | ||
| 118 | ········-·medium_disruption | ||
| 119 | ········-·CCE-26731-0 | ||
| 120 | ········-·NIST-800-53-AC-6 | ||
| 121 | ········-·NIST-800-53-CM-6(d) | ||
| 122 | ········-·NIST-800-53-SI-7 | ||
| 123 | ········-·PCI-DSS-Req-11.5 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 125 | ···· | ||
| 126 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(dnf)" | ||
| 127 | ······set_fact: | ||
| 128 | ········package_manager_reinstall_cmd:·dnf·reinstall·-y | ||
| 129 | ······when:·ansible_distribution·==·"Fedora" | ||
| 130 | ······tags: | ||
| 131 | ········-·rpm_verify_hashes | ||
| 132 | ········-·unknown_severity | ||
| 133 | ········-·unknown_strategy | ||
| 134 | ········-·high_complexity | ||
| 135 | ········-·medium_disruption | ||
| 136 | ········-·CCE-27223-7 | ||
| 137 | ········-·NIST-800-53-CM-6(d) | ||
| 138 | ········-·NIST-800-53-SI-7 | ||
| 139 | ········-·PCI-DSS-Req-11.5 | ||
| 140 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 141 | ···· | ||
| 142 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(yum)" | ||
| 143 | ······set_fact: | ||
| 144 | ········package_manager_reinstall_cmd:·yum·reinstall·-y | ||
| 145 | ······when:·ansible_distribution·==·"RedHat"·or·ansible_distribution·==·"OracleLinux" | ||
| 146 | ······tags: | ||
| 147 | ········-·rpm_verify_hashes | ||
| 148 | ········-·unknown_severity | ||
| 149 | ········-·unknown_strategy | ||
| 150 | ········-·high_complexity | ||
| 151 | ········-·medium_disruption | ||
| 152 | ········-·CCE-27223-7 | ||
| 153 | ········-·NIST-800-53-CM-6(d) | ||
| 154 | ········-·NIST-800-53-SI-7 | ||
| 155 | ········-·PCI-DSS-Req-11.5 | ||
| 156 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 157 | ···· | ||
| 158 | ····-·name:·"Read·files·with·incorrect·hash" | ||
| 159 | ······shell:·"rpm·-Va·|·grep·-E·'^..5.*·/(bin|sbin|lib|lib64|usr)/'·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 160 | ······register:·files_with_incorrect_hash | ||
| 161 | ······changed_when:·False | ||
| 162 | ······when:·package_manager_reinstall_cmd·is·defined | ||
| 163 | ······check_mode:·no | ||
| 164 | ······tags: | ||
| 165 | ········-·rpm_verify_hashes | ||
| 166 | ········-·unknown_severity | ||
| 167 | ········-·unknown_strategy | ||
| 168 | ········-·high_complexity | ||
| 169 | ········-·medium_disruption | ||
| 170 | ········-·CCE-27223-7 | ||
| 171 | ········-·NIST-800-53-CM-6(d) | ||
| 172 | ········-·NIST-800-53-SI-7 | ||
| 173 | ········-·PCI-DSS-Req-11.5 | ||
| 174 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 175 | ···· | ||
| 176 | ····-·name:·"Reinstall·packages·of·files·with·incorrect·hash" | ||
| 177 | ······shell:·"{{package_manager_reinstall_cmd}}·$(rpm·-qf·'{{item}}')" | ||
| Max diff block lines reached; 56106/71240 bytes (78.76%) of diff not shown. | |||
| Offset 33, 42 lines modified | Offset 33, 23 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······var_selinux_policy_name:·targeted | 37 | ······var_selinux_policy_name:·targeted |
| 38 | ······var_selinux_state:·enforcing | 38 | ······var_selinux_state:·enforcing |
| 39 | ······var_accounts_password_minlen_login_defs:·6 | 39 | ······var_accounts_password_minlen_login_defs:·6 |
| 40 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_minimum_age_login_defs:·7 | 40 | ······var_accounts_minimum_age_login_defs:·7 |
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 43 | ······var_password_pam_unix_remember:·5 | 43 | ······var_password_pam_unix_remember:·5 |
| 44 | ······var_accounts_passwords_pam_faillock_deny:·5 | 44 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 47 | ······var_password_pam_retry:·3 | 47 | ······var_password_pam_retry:·3 |
| 48 | ···tasks: | 48 | ···tasks: |
| 49 | ····-·name:·Disable·service·atd | ||
| 50 | ······service: | ||
| 51 | ········name="{{item}}" | ||
| 52 | ········enabled="no" | ||
| 53 | ········state="stopped" | ||
| 54 | ······register:·service_result | ||
| 55 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 56 | ······with_items: | ||
| 57 | ········-·atd | ||
| 58 | ······tags: | ||
| 59 | ········-·service_atd_disabled | ||
| 60 | ········-·unknown_severity | ||
| 61 | ········-·disable_strategy | ||
| 62 | ········-·low_complexity | ||
| 63 | ········-·low_disruption | ||
| 64 | ········-·CCE-27249-2 | ||
| 65 | ········-·NIST-800-53-CM-7 | ||
| 66 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 67 | ···· | ||
| 68 | ····-·name:·Ensure·rsh-server·is·removed | 49 | ····-·name:·Ensure·rsh-server·is·removed |
| 69 | ······package: | 50 | ······package: |
| 70 | ········name="{{item}}" | 51 | ········name="{{item}}" |
| 71 | ········state=absent | 52 | ········state=absent |
| 72 | ······with_items: | 53 | ······with_items: |
| 73 | ········-·rsh-server | 54 | ········-·rsh-server |
| 74 | ······tags: | 55 | ······tags: |
| Offset 198, 14 lines modified | Offset 179, 33 lines modified | ||
| 198 | ········-·disable_strategy | 179 | ········-·disable_strategy |
| 199 | ········-·low_complexity | 180 | ········-·low_complexity |
| 200 | ········-·low_disruption | 181 | ········-·low_disruption |
| 201 | ········-·CCE-27005-8 | 182 | ········-·CCE-27005-8 |
| 202 | ········-·NIST-800-53-CM-7 | 183 | ········-·NIST-800-53-CM-7 |
| 203 | ········-·DISA-STIG-RHEL-06-000204 | 184 | ········-·DISA-STIG-RHEL-06-000204 |
| 204 | ···· | 185 | ···· |
| 186 | ····-·name:·Disable·service·atd | ||
| 187 | ······service: | ||
| 188 | ········name="{{item}}" | ||
| 189 | ········enabled="no" | ||
| 190 | ········state="stopped" | ||
| 191 | ······register:·service_result | ||
| 192 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 193 | ······with_items: | ||
| 194 | ········-·atd | ||
| 195 | ······tags: | ||
| 196 | ········-·service_atd_disabled | ||
| 197 | ········-·unknown_severity | ||
| 198 | ········-·disable_strategy | ||
| 199 | ········-·low_complexity | ||
| 200 | ········-·low_disruption | ||
| 201 | ········-·CCE-27249-2 | ||
| 202 | ········-·NIST-800-53-CM-7 | ||
| 203 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 204 | ···· | ||
| 205 | ····-·name:·Disable·service·rdisc | 205 | ····-·name:·Disable·service·rdisc |
| 206 | ······service: | 206 | ······service: |
| 207 | ········name="{{item}}" | 207 | ········name="{{item}}" |
| 208 | ········enabled="no" | 208 | ········enabled="no" |
| 209 | ········state="stopped" | 209 | ········state="stopped" |
| 210 | ······register:·service_result | 210 | ······register:·service_result |
| 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 294, 14 lines modified | Offset 294, 33 lines modified | ||
| 294 | ········-·disable_strategy | 294 | ········-·disable_strategy |
| 295 | ········-·low_complexity | 295 | ········-·low_complexity |
| 296 | ········-·low_disruption | 296 | ········-·low_disruption |
| 297 | ········-·CCE-27256-7 | 297 | ········-·CCE-27256-7 |
| 298 | ········-·NIST-800-53-CM-7 | 298 | ········-·NIST-800-53-CM-7 |
| 299 | ········-·DISA-STIG-RHEL-06-000265 | 299 | ········-·DISA-STIG-RHEL-06-000265 |
| 300 | ···· | 300 | ···· |
| 301 | ····-·name:·Disable·service·avahi-daemon | ||
| 302 | ······service: | ||
| 303 | ········name="{{item}}" | ||
| 304 | ········enabled="no" | ||
| 305 | ········state="stopped" | ||
| 306 | ······register:·service_result | ||
| 307 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 308 | ······with_items: | ||
| 309 | ········-·avahi-daemon | ||
| 310 | ······tags: | ||
| 311 | ········-·service_avahi-daemon_disabled | ||
| 312 | ········-·unknown_severity | ||
| 313 | ········-·disable_strategy | ||
| 314 | ········-·low_complexity | ||
| 315 | ········-·low_disruption | ||
| 316 | ········-·CCE-27087-6 | ||
| 317 | ········-·NIST-800-53-CM-7 | ||
| 318 | ········-·DISA-STIG-RHEL-06-000246 | ||
| 319 | ···· | ||
| 301 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files | 320 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files |
| 302 | ······lineinfile: | 321 | ······lineinfile: |
| 303 | ········create:·yes | 322 | ········create:·yes |
| 304 | ········dest:·/etc/ssh/sshd_config | 323 | ········dest:·/etc/ssh/sshd_config |
| 305 | ········regexp:·^IgnoreRhosts | 324 | ········regexp:·^IgnoreRhosts |
| 306 | ········line:·IgnoreRhosts·yes | 325 | ········line:·IgnoreRhosts·yes |
| 307 | ········validate:·sshd·-t·-f·%s | 326 | ········validate:·sshd·-t·-f·%s |
| Offset 480, 219 lines modified | Offset 499, 14 lines modified | ||
| 480 | ········-·low_disruption | 499 | ········-·low_disruption |
| 481 | ········-·CCE-27100-7 | 500 | ········-·CCE-27100-7 |
| 482 | ········-·NIST-800-53-AC-3 | 501 | ········-·NIST-800-53-AC-3 |
| 483 | ········-·NIST-800-53-AC-6(2) | 502 | ········-·NIST-800-53-AC-6(2) |
| 484 | ········-·NIST-800-53-IA-2(1) | 503 | ········-·NIST-800-53-IA-2(1) |
| 485 | ········-·DISA-STIG-RHEL-06-000237 | 504 | ········-·DISA-STIG-RHEL-06-000237 |
| 486 | ···· | 505 | ···· |
| 487 | ····-·name:·Disable·service·avahi-daemon | ||
| 488 | ······service: | ||
| 489 | ········name="{{item}}" | ||
| 490 | ········enabled="no" | ||
| 491 | ········state="stopped" | ||
| 492 | ······register:·service_result | ||
| 493 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| Max diff block lines reached; 12595/22494 bytes (55.99%) of diff not shown. | |||
| Offset 31, 43 lines modified | Offset 31, 43 lines modified | ||
| 31 | ·······assert: | 31 | ·······assert: |
| 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 33 | ·········msg:·> | 33 | ·········msg:·> |
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······var_auditd_max_log_file:·6 | ||
| 39 | ······var_auditd_admin_space_left_action:·single | ||
| 40 | ······var_auditd_max_log_file_action:·rotate | ||
| 38 | ······rsyslog_remote_loghost_address:·None | 41 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 44 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 51 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_c | 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 54 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 52 | ······var_selinux_policy_name:·targeted | 55 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 56 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 57 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | 58 | ······var_accounts_minimum_age_login_defs:·7 |
| 59 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 60 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 61 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 62 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 63 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 64 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 65 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 66 | ······var_accounts_tmout:·600 |
| 64 | ······var_auditd_max_log_file:·6 | ||
| 65 | ······var_auditd_admin_space_left_action:·single | ||
| 66 | ······var_auditd_max_log_file_action:·rotate | ||
| 67 | ······var_removable_partition:·/dev/cdrom | 67 | ······var_removable_partition:·/dev/cdrom |
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Enable·service·ntpd | 69 | ····-·name:·Enable·service·ntpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="yes" | 72 | ········enabled="yes" |
| 73 | ········state="started" | 73 | ········state="started" |
| Offset 80, 65 lines modified | Offset 80, 14 lines modified | ||
| 80 | ········-·low_complexity | 80 | ········-·low_complexity |
| 81 | ········-·low_disruption | 81 | ········-·low_disruption |
| 82 | ········-·CCE-27093-4 | 82 | ········-·CCE-27093-4 |
| 83 | ········-·NIST-800-53-AU-8(1) | 83 | ········-·NIST-800-53-AU-8(1) |
| 84 | ········-·PCI-DSS-Req-10.4 | 84 | ········-·PCI-DSS-Req-10.4 |
| 85 | ········-·DISA-STIG-RHEL-06-000247 | 85 | ········-·DISA-STIG-RHEL-06-000247 |
| 86 | ···· | 86 | ···· |
| 87 | ····-·name:·Enable·service·crond | ||
| 88 | ······service: | ||
| 89 | ········name="{{item}}" | ||
| 90 | ········enabled="yes" | ||
| 91 | ········state="started" | ||
| 92 | ······with_items: | ||
| 93 | ········-·crond | ||
| 94 | ······tags: | ||
| 95 | ········-·service_crond_enabled | ||
| 96 | ········-·medium_severity | ||
| 97 | ········-·enable_strategy | ||
| 98 | ········-·low_complexity | ||
| 99 | ········-·low_disruption | ||
| 100 | ········-·CCE-27070-2 | ||
| 101 | ········-·NIST-800-53-CM-7 | ||
| 102 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 103 | ···· | ||
| 104 | ····-·name:·Disable·service·atd | ||
| 105 | ······service: | ||
| 106 | ········name="{{item}}" | ||
| 107 | ········enabled="no" | ||
| 108 | ········state="stopped" | ||
| 109 | ······register:·service_result | ||
| 110 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 111 | ······with_items: | ||
| 112 | ········-·atd | ||
| 113 | ······tags: | ||
| 114 | ········-·service_atd_disabled | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·disable_strategy | ||
| 117 | ········-·low_complexity | ||
| 118 | ········-·low_disruption | ||
| 119 | ········-·CCE-27249-2 | ||
| 120 | ········-·NIST-800-53-CM-7 | ||
| 121 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 122 | ···· | ||
| 123 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 124 | ······package: | ||
| 125 | ········name="{{item}}" | ||
| 126 | ········state=absent | ||
| 127 | ······with_items: | ||
| 128 | ········-·xorg-x11-server-common | ||
| 129 | ······tags: | ||
| 130 | ········-·package_xorg-x11-server-common_removed | ||
| 131 | ········-·unknown_severity | ||
| 132 | ········-·disable_strategy | ||
| 133 | ········-·low_complexity | ||
| 134 | ········-·low_disruption | ||
| 135 | ········-·CCE-27198-1 | ||
| 136 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 137 | ···· | ||
| 138 | ····-·name:·Ensure·rsh-server·is·removed | 87 | ····-·name:·Ensure·rsh-server·is·removed |
| 139 | ······package: | 88 | ······package: |
| 140 | ········name="{{item}}" | 89 | ········name="{{item}}" |
| 141 | ········state=absent | 90 | ········state=absent |
| 142 | ······with_items: | 91 | ······with_items: |
| 143 | ········-·rsh-server | 92 | ········-·rsh-server |
| 144 | ······tags: | 93 | ······tags: |
| Offset 293, 14 lines modified | Offset 242, 81 lines modified | ||
| 293 | ········-·disable_strategy | 242 | ········-·disable_strategy |
| 294 | ········-·low_complexity | 243 | ········-·low_complexity |
| 295 | ········-·low_disruption | 244 | ········-·low_disruption |
| 296 | ········-·CCE-27005-8 | 245 | ········-·CCE-27005-8 |
| 297 | ········-·NIST-800-53-CM-7 | 246 | ········-·NIST-800-53-CM-7 |
| 298 | ········-·DISA-STIG-RHEL-06-000204 | 247 | ········-·DISA-STIG-RHEL-06-000204 |
| 299 | ···· | 248 | ···· |
| 249 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 250 | ······package: | ||
| 251 | ········name="{{item}}" | ||
| 252 | ········state=absent | ||
| Max diff block lines reached; 103453/109627 bytes (94.37%) of diff not shown. | |||
| Offset 32, 43 lines modified | Offset 32, 43 lines modified | ||
| 32 | ·······assert: | 32 | ·······assert: |
| 33 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 33 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 34 | ·········msg:·> | 34 | ·········msg:·> |
| 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 36 | ·········· | 36 | ·········· |
| 37 | ···vars: | 37 | ···vars: |
| 38 | ······sshd_idle_timeout_value:·300 | 38 | ······sshd_idle_timeout_value:·300 |
| 39 | ······var_auditd_max_log_file:·6 | ||
| 40 | ······var_auditd_admin_space_left_action:·single | ||
| 41 | ······var_auditd_max_log_file_action:·rotate | ||
| 39 | ······rsyslog_remote_loghost_address:·None | 42 | ······rsyslog_remote_loghost_address:·None |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 45 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_ | 49 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 50 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 51 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 52 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_ | 53 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_c | 54 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 53 | ······var_selinux_policy_name:·targeted | 56 | ······var_selinux_policy_name:·targeted |
| 54 | ······var_selinux_state:·enforcing | 57 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·15 | 58 | ······var_accounts_password_minlen_login_defs:·15 |
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 58 | ······var_accounts_minimum_age_login_defs:·7 | 59 | ······var_accounts_minimum_age_login_defs:·7 |
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 59 | ······var_password_pam_unix_remember:·5 | 62 | ······var_password_pam_unix_remember:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_deny:·3 | 63 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 64 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 62 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 65 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 63 | ······var_password_pam_retry:·3 | 66 | ······var_password_pam_retry:·3 |
| 64 | ······var_accounts_tmout:·600 | 67 | ······var_accounts_tmout:·600 |
| 65 | ······var_auditd_max_log_file:·6 | ||
| 66 | ······var_auditd_admin_space_left_action:·single | ||
| 67 | ······var_auditd_max_log_file_action:·rotate | ||
| 68 | ······var_removable_partition:·/dev/cdrom | 68 | ······var_removable_partition:·/dev/cdrom |
| 69 | ···tasks: | 69 | ···tasks: |
| 70 | ····-·name:·Enable·service·ntpd | 70 | ····-·name:·Enable·service·ntpd |
| 71 | ······service: | 71 | ······service: |
| 72 | ········name="{{item}}" | 72 | ········name="{{item}}" |
| 73 | ········enabled="yes" | 73 | ········enabled="yes" |
| 74 | ········state="started" | 74 | ········state="started" |
| Offset 81, 50 lines modified | Offset 81, 14 lines modified | ||
| 81 | ········-·low_complexity | 81 | ········-·low_complexity |
| 82 | ········-·low_disruption | 82 | ········-·low_disruption |
| 83 | ········-·CCE-27093-4 | 83 | ········-·CCE-27093-4 |
| 84 | ········-·NIST-800-53-AU-8(1) | 84 | ········-·NIST-800-53-AU-8(1) |
| 85 | ········-·PCI-DSS-Req-10.4 | 85 | ········-·PCI-DSS-Req-10.4 |
| 86 | ········-·DISA-STIG-RHEL-06-000247 | 86 | ········-·DISA-STIG-RHEL-06-000247 |
| 87 | ···· | 87 | ···· |
| 88 | ····-·name:·Enable·service·crond | ||
| 89 | ······service: | ||
| 90 | ········name="{{item}}" | ||
| 91 | ········enabled="yes" | ||
| 92 | ········state="started" | ||
| 93 | ······with_items: | ||
| 94 | ········-·crond | ||
| 95 | ······tags: | ||
| 96 | ········-·service_crond_enabled | ||
| 97 | ········-·medium_severity | ||
| 98 | ········-·enable_strategy | ||
| 99 | ········-·low_complexity | ||
| 100 | ········-·low_disruption | ||
| 101 | ········-·CCE-27070-2 | ||
| 102 | ········-·NIST-800-53-CM-7 | ||
| 103 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 104 | ···· | ||
| 105 | ····-·name:·Disable·service·atd | ||
| 106 | ······service: | ||
| 107 | ········name="{{item}}" | ||
| 108 | ········enabled="no" | ||
| 109 | ········state="stopped" | ||
| 110 | ······register:·service_result | ||
| 111 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 112 | ······with_items: | ||
| 113 | ········-·atd | ||
| 114 | ······tags: | ||
| 115 | ········-·service_atd_disabled | ||
| 116 | ········-·unknown_severity | ||
| 117 | ········-·disable_strategy | ||
| 118 | ········-·low_complexity | ||
| 119 | ········-·low_disruption | ||
| 120 | ········-·CCE-27249-2 | ||
| 121 | ········-·NIST-800-53-CM-7 | ||
| 122 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 123 | ···· | ||
| 124 | ····-·name:·Ensure·rsh-server·is·removed | 88 | ····-·name:·Ensure·rsh-server·is·removed |
| 125 | ······package: | 89 | ······package: |
| 126 | ········name="{{item}}" | 90 | ········name="{{item}}" |
| 127 | ········state=absent | 91 | ········state=absent |
| 128 | ······with_items: | 92 | ······with_items: |
| 129 | ········-·rsh-server | 93 | ········-·rsh-server |
| 130 | ······tags: | 94 | ······tags: |
| Offset 279, 14 lines modified | Offset 243, 66 lines modified | ||
| 279 | ········-·disable_strategy | 243 | ········-·disable_strategy |
| 280 | ········-·low_complexity | 244 | ········-·low_complexity |
| 281 | ········-·low_disruption | 245 | ········-·low_disruption |
| 282 | ········-·CCE-27005-8 | 246 | ········-·CCE-27005-8 |
| 283 | ········-·NIST-800-53-CM-7 | 247 | ········-·NIST-800-53-CM-7 |
| 284 | ········-·DISA-STIG-RHEL-06-000204 | 248 | ········-·DISA-STIG-RHEL-06-000204 |
| 285 | ···· | 249 | ···· |
| 250 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 251 | ······package: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········state=absent | ||
| 254 | ······with_items: | ||
| 255 | ········-·openldap-servers | ||
| 256 | ······tags: | ||
| 257 | ········-·package_openldap-servers_removed | ||
| 258 | ········-·unknown_severity | ||
| 259 | ········-·disable_strategy | ||
| 260 | ········-·low_complexity | ||
| 261 | ········-·low_disruption | ||
| 262 | ········-·CCE-26858-1 | ||
| 263 | ········-·NIST-800-53-CM-7 | ||
| 264 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 265 | ···· | ||
| 266 | ····-·name:·Enable·service·crond | ||
| 267 | ······service: | ||
| 268 | ········name="{{item}}" | ||
| Max diff block lines reached; 103453/108815 bytes (95.07%) of diff not shown. | |||
| Offset 37, 49 lines modified | Offset 37, 49 lines modified | ||
| 37 | ·······assert: | 37 | ·······assert: |
| 38 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 38 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 39 | ·········msg:·> | 39 | ·········msg:·> |
| 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 41 | ·········· | 41 | ·········· |
| 42 | ···vars: | 42 | ···vars: |
| 43 | ······sshd_idle_timeout_value:·900 | 43 | ······sshd_idle_timeout_value:·900 |
| 44 | ······var_auditd_max_log_file:·6 | ||
| 45 | ······var_auditd_action_mail_acct:·admin | ||
| 46 | ······var_auditd_space_left_action:·suspend | ||
| 47 | ······var_auditd_admin_space_left_action:·single | ||
| 48 | ······var_auditd_max_log_file_action:·rotate | ||
| 44 | ······rsyslog_remote_loghost_address:·None | 49 | ······rsyslog_remote_loghost_address:·None |
| 45 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 50 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 51 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_icmp_ | 52 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 53 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 54 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 55 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_conf_ | 56 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 52 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 53 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 57 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 54 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 58 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 55 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 59 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_ | 60 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_c | 61 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 62 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 58 | ······var_selinux_policy_name:·targeted | 63 | ······var_selinux_policy_name:·targeted |
| 59 | ······var_selinux_state:·enforcing | 64 | ······var_selinux_state:·enforcing |
| 60 | ······var_accounts_password_minlen_login_defs:·15 | 65 | ······var_accounts_password_minlen_login_defs:·15 |
| 61 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 62 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 63 | ······var_accounts_minimum_age_login_defs:·1 | 66 | ······var_accounts_minimum_age_login_defs:·1 |
| 67 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 68 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 64 | ······var_account_disable_post_pw_expiration:·35 | 69 | ······var_account_disable_post_pw_expiration:·35 |
| 65 | ······var_password_pam_unix_remember:·5 | 70 | ······var_password_pam_unix_remember:·5 |
| 66 | ······var_accounts_passwords_pam_faillock_deny:·3 | 71 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 67 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 72 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 68 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 73 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 69 | ······var_password_pam_maxrepeat:·3 | 74 | ······var_password_pam_maxrepeat:·3 |
| 70 | ······var_password_pam_retry:·3 | 75 | ······var_password_pam_retry:·3 |
| 71 | ······var_accounts_user_umask:·077 | 76 | ······var_accounts_user_umask:·077 |
| 72 | ······var_accounts_tmout:·600 | 77 | ······var_accounts_tmout:·600 |
| 73 | ······var_accounts_max_concurrent_login_sessions:·10 | 78 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 74 | ······var_auditd_action_mail_acct:·admin | ||
| 75 | ······var_auditd_max_log_file:·6 | ||
| 76 | ······var_auditd_space_left_action:·suspend | ||
| 77 | ······var_auditd_admin_space_left_action:·single | ||
| 78 | ······var_auditd_max_log_file_action:·rotate | ||
| 79 | ······var_removable_partition:·/dev/cdrom | 79 | ······var_removable_partition:·/dev/cdrom |
| 80 | ······var_removable_partition:·/dev/cdrom | 80 | ······var_removable_partition:·/dev/cdrom |
| 81 | ······var_removable_partition:·/dev/cdrom | 81 | ······var_removable_partition:·/dev/cdrom |
| 82 | ···tasks: | 82 | ···tasks: |
| 83 | ····-·name:·Enable·service·ntpd | 83 | ····-·name:·Enable·service·ntpd |
| 84 | ······service: | 84 | ······service: |
| 85 | ········name="{{item}}" | 85 | ········name="{{item}}" |
| Offset 94, 65 lines modified | Offset 94, 14 lines modified | ||
| 94 | ········-·low_complexity | 94 | ········-·low_complexity |
| 95 | ········-·low_disruption | 95 | ········-·low_disruption |
| 96 | ········-·CCE-27093-4 | 96 | ········-·CCE-27093-4 |
| 97 | ········-·NIST-800-53-AU-8(1) | 97 | ········-·NIST-800-53-AU-8(1) |
| 98 | ········-·PCI-DSS-Req-10.4 | 98 | ········-·PCI-DSS-Req-10.4 |
| 99 | ········-·DISA-STIG-RHEL-06-000247 | 99 | ········-·DISA-STIG-RHEL-06-000247 |
| 100 | ···· | 100 | ···· |
| 101 | ····-·name:·Enable·service·crond | ||
| 102 | ······service: | ||
| 103 | ········name="{{item}}" | ||
| 104 | ········enabled="yes" | ||
| 105 | ········state="started" | ||
| 106 | ······with_items: | ||
| 107 | ········-·crond | ||
| 108 | ······tags: | ||
| 109 | ········-·service_crond_enabled | ||
| 110 | ········-·medium_severity | ||
| 111 | ········-·enable_strategy | ||
| 112 | ········-·low_complexity | ||
| 113 | ········-·low_disruption | ||
| 114 | ········-·CCE-27070-2 | ||
| 115 | ········-·NIST-800-53-CM-7 | ||
| 116 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 117 | ···· | ||
| 118 | ····-·name:·Disable·service·atd | ||
| 119 | ······service: | ||
| 120 | ········name="{{item}}" | ||
| 121 | ········enabled="no" | ||
| 122 | ········state="stopped" | ||
| 123 | ······register:·service_result | ||
| 124 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 125 | ······with_items: | ||
| 126 | ········-·atd | ||
| 127 | ······tags: | ||
| 128 | ········-·service_atd_disabled | ||
| 129 | ········-·unknown_severity | ||
| 130 | ········-·disable_strategy | ||
| 131 | ········-·low_complexity | ||
| 132 | ········-·low_disruption | ||
| 133 | ········-·CCE-27249-2 | ||
| 134 | ········-·NIST-800-53-CM-7 | ||
| 135 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 136 | ···· | ||
| 137 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 138 | ······package: | ||
| 139 | ········name="{{item}}" | ||
| 140 | ········state=absent | ||
| 141 | ······with_items: | ||
| 142 | ········-·xorg-x11-server-common | ||
| 143 | ······tags: | ||
| 144 | ········-·package_xorg-x11-server-common_removed | ||
| 145 | ········-·unknown_severity | ||
| 146 | ········-·disable_strategy | ||
| 147 | ········-·low_complexity | ||
| 148 | ········-·low_disruption | ||
| 149 | ········-·CCE-27198-1 | ||
| 150 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 151 | ···· | ||
| 152 | ····-·name:·Ensure·rsh-server·is·removed | 101 | ····-·name:·Ensure·rsh-server·is·removed |
| 153 | ······package: | 102 | ······package: |
| 154 | ········name="{{item}}" | 103 | ········name="{{item}}" |
| 155 | ········state=absent | 104 | ········state=absent |
| 156 | ······with_items: | 105 | ······with_items: |
| 157 | ········-·rsh-server | 106 | ········-·rsh-server |
| 158 | ······tags: | 107 | ······tags: |
| Offset 307, 14 lines modified | Offset 256, 81 lines modified | ||
| 307 | ········-·disable_strategy | 256 | ········-·disable_strategy |
| 308 | ········-·low_complexity | 257 | ········-·low_complexity |
| 309 | ········-·low_disruption | 258 | ········-·low_disruption |
| Max diff block lines reached; 126814/131492 bytes (96.44%) of diff not shown. | |||
| Offset 35, 29 lines modified | Offset 35, 29 lines modified | ||
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 | ||
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_ | 49 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 51 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·12 | 54 | ······var_accounts_password_minlen_login_defs:·12 |
| 55 | ······var_accounts_password_warn_age_login_defs:·14 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·60 | 55 | ······var_accounts_maximum_age_login_defs:·60 |
| 56 | ······var_accounts_password_warn_age_login_defs:·14 | ||
| 57 | ······var_account_disable_post_pw_expiration:·30 | 57 | ······var_account_disable_post_pw_expiration:·30 |
| 58 | ······var_password_pam_unix_remember:·24 | 58 | ······var_password_pam_unix_remember:·24 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·5 | 59 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| Offset 127, 47 lines modified | Offset 127, 14 lines modified | ||
| 127 | ········-·unknown_severity | 127 | ········-·unknown_severity |
| 128 | ········-·disable_strategy | 128 | ········-·disable_strategy |
| 129 | ········-·low_complexity | 129 | ········-·low_complexity |
| 130 | ········-·low_disruption | 130 | ········-·low_disruption |
| 131 | ········-·CCE-27133-8 | 131 | ········-·CCE-27133-8 |
| 132 | ········-·NIST-800-53-CM-7 | 132 | ········-·NIST-800-53-CM-7 |
| 133 | ···· | 133 | ···· |
| 134 | ····-·name:·Ensure·dhcp·is·removed | ||
| 135 | ······package: | ||
| 136 | ········name="{{item}}" | ||
| 137 | ········state=absent | ||
| 138 | ······with_items: | ||
| 139 | ········-·dhcp | ||
| 140 | ······tags: | ||
| 141 | ········-·package_dhcp_removed | ||
| 142 | ········-·medium_severity | ||
| 143 | ········-·disable_strategy | ||
| 144 | ········-·low_complexity | ||
| 145 | ········-·low_disruption | ||
| 146 | ········-·CCE-27120-5 | ||
| 147 | ········-·NIST-800-53-CM-7 | ||
| 148 | ···· | ||
| 149 | ····-·name:·Disable·service·dhcpd | ||
| 150 | ······service: | ||
| 151 | ········name="{{item}}" | ||
| 152 | ········enabled="no" | ||
| 153 | ········state="stopped" | ||
| 154 | ······register:·service_result | ||
| 155 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 156 | ······with_items: | ||
| 157 | ········-·dhcpd | ||
| 158 | ······tags: | ||
| 159 | ········-·service_dhcpd_disabled | ||
| 160 | ········-·medium_severity | ||
| 161 | ········-·disable_strategy | ||
| 162 | ········-·low_complexity | ||
| 163 | ········-·low_disruption | ||
| 164 | ········-·CCE-27074-4 | ||
| 165 | ········-·NIST-800-53-CM-7 | ||
| 166 | ···· | ||
| 167 | ····-·name:·Enable·service·ntpd | 134 | ····-·name:·Enable·service·ntpd |
| 168 | ······service: | 135 | ······service: |
| 169 | ········name="{{item}}" | 136 | ········name="{{item}}" |
| 170 | ········enabled="yes" | 137 | ········enabled="yes" |
| 171 | ········state="started" | 138 | ········state="started" |
| 172 | ······with_items: | 139 | ······with_items: |
| 173 | ········-·ntpd | 140 | ········-·ntpd |
| Offset 209, 50 lines modified | Offset 176, 14 lines modified | ||
| 209 | ········-·service_snmpd_disabled | 176 | ········-·service_snmpd_disabled |
| 210 | ········-·unknown_severity | 177 | ········-·unknown_severity |
| 211 | ········-·disable_strategy | 178 | ········-·disable_strategy |
| 212 | ········-·low_complexity | 179 | ········-·low_complexity |
| 213 | ········-·low_disruption | 180 | ········-·low_disruption |
| 214 | ········-·CCE-26906-8 | 181 | ········-·CCE-26906-8 |
| 215 | ···· | 182 | ···· |
| 216 | ····-·name:·Enable·service·crond | ||
| 217 | ······service: | ||
| 218 | ········name="{{item}}" | ||
| 219 | ········enabled="yes" | ||
| 220 | ········state="started" | ||
| 221 | ······with_items: | ||
| 222 | ········-·crond | ||
| 223 | ······tags: | ||
| 224 | ········-·service_crond_enabled | ||
| 225 | ········-·medium_severity | ||
| 226 | ········-·enable_strategy | ||
| 227 | ········-·low_complexity | ||
| 228 | ········-·low_disruption | ||
| 229 | ········-·CCE-27070-2 | ||
| 230 | ········-·NIST-800-53-CM-7 | ||
| 231 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 232 | ···· | ||
| 233 | ····-·name:·Disable·service·atd | ||
| 234 | ······service: | ||
| 235 | ········name="{{item}}" | ||
| 236 | ········enabled="no" | ||
| 237 | ········state="stopped" | ||
| 238 | ······register:·service_result | ||
| 239 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 240 | ······with_items: | ||
| 241 | ········-·atd | ||
| 242 | ······tags: | ||
| 243 | ········-·service_atd_disabled | ||
| 244 | ········-·unknown_severity | ||
| 245 | ········-·disable_strategy | ||
| 246 | ········-·low_complexity | ||
| 247 | ········-·low_disruption | ||
| 248 | ········-·CCE-27249-2 | ||
| 249 | ········-·NIST-800-53-CM-7 | ||
| 250 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 251 | ···· | ||
| 252 | ····-·name:·Ensure·rsh-server·is·removed | 183 | ····-·name:·Ensure·rsh-server·is·removed |
| 253 | ······package: | 184 | ······package: |
| 254 | ········name="{{item}}" | 185 | ········name="{{item}}" |
| Max diff block lines reached; 133839/138029 bytes (96.96%) of diff not shown. | |||
| Offset 46, 25 lines modified | Offset 46, 25 lines modified | ||
| 46 | ······sshd_idle_timeout_value:·7200 | 46 | ······sshd_idle_timeout_value:·7200 |
| 47 | ······rsyslog_remote_loghost_address:·logcollector | 47 | ······rsyslog_remote_loghost_address:·logcollector |
| 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 53 | ······sysctl_net_ipv4_icmp_ | 53 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_ | 57 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 58 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 59 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 58 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 60 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 59 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 61 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 60 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 62 | ······sysctl_net_ipv4_ | 61 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 63 | ······sysctl_net_ipv4_c | 62 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 63 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 64 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 | 64 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 65 | ······var_selinux_policy_name:·targeted | 65 | ······var_selinux_policy_name:·targeted |
| 66 | ······var_selinux_state:·enforcing | 66 | ······var_selinux_state:·enforcing |
| 67 | ······var_accounts_password_warn_age_login_defs:·7 | 67 | ······var_accounts_password_warn_age_login_defs:·7 |
| 68 | ······var_accounts_minimum_age_login_defs:·7 | 68 | ······var_accounts_minimum_age_login_defs:·7 |
| 69 | ······var_accounts_maximum_age_login_defs:·90 | 69 | ······var_accounts_maximum_age_login_defs:·90 |
| 70 | ······var_account_disable_post_pw_expiration:·30 | 70 | ······var_account_disable_post_pw_expiration:·30 |
| Offset 77, 16 lines modified | Offset 77, 16 lines modified | ||
| 77 | ······var_password_pam_lcredit:·-1 | 77 | ······var_password_pam_lcredit:·-1 |
| 78 | ······var_password_pam_ucredit:·-1 | 78 | ······var_password_pam_ucredit:·-1 |
| 79 | ······var_password_pam_retry:·1 | 79 | ······var_password_pam_retry:·1 |
| 80 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 80 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 81 | ······var_removable_partition:·/dev/cdrom | 81 | ······var_removable_partition:·/dev/cdrom |
| 82 | ······var_removable_partition:·/dev/cdrom | 82 | ······var_removable_partition:·/dev/cdrom |
| 83 | ······var_removable_partition:·/dev/cdrom | 83 | ······var_removable_partition:·/dev/cdrom |
| 84 | ······var_auditd_action_mail_acct:·root | ||
| 85 | ······var_auditd_max_log_file:·6 | 84 | ······var_auditd_max_log_file:·6 |
| 85 | ······var_auditd_action_mail_acct:·root | ||
| 86 | ······var_auditd_admin_space_left_action:·single | 86 | ······var_auditd_admin_space_left_action:·single |
| 87 | ······var_auditd_max_log_file_action:·rotate | 87 | ······var_auditd_max_log_file_action:·rotate |
| 88 | ···tasks: | 88 | ···tasks: |
| 89 | ····-·name:·Ensure·rsh·is·removed | 89 | ····-·name:·Ensure·rsh·is·removed |
| 90 | ······package: | 90 | ······package: |
| 91 | ········name="{{item}}" | 91 | ········name="{{item}}" |
| 92 | ········state=absent | 92 | ········state=absent |
| Offset 119, 54 lines modified | Offset 119, 54 lines modified | ||
| 119 | ········-·CCE-27336-7 | 119 | ········-·CCE-27336-7 |
| 120 | ········-·NIST-800-53-AC-17(8) | 120 | ········-·NIST-800-53-AC-17(8) |
| 121 | ········-·NIST-800-53-CM-7 | 121 | ········-·NIST-800-53-CM-7 |
| 122 | ········-·NIST-800-53-IA-5(1)(c) | 122 | ········-·NIST-800-53-IA-5(1)(c) |
| 123 | ········-·NIST-800-171-3.1.13 | 123 | ········-·NIST-800-171-3.1.13 |
| 124 | ········-·NIST-800-171-3.4.7 | 124 | ········-·NIST-800-171-3.4.7 |
| 125 | ···· | 125 | ···· |
| 126 | ····-·name:·Disable·service·r | 126 | ····-·name:·Disable·service·rsh |
| 127 | ······service: | 127 | ······service: |
| 128 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 129 | ········enabled="no" | 129 | ········enabled="no" |
| 130 | ········state="stopped" | 130 | ········state="stopped" |
| 131 | ······register:·service_result | 131 | ······register:·service_result |
| 132 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 132 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 133 | ······with_items: | 133 | ······with_items: |
| 134 | ········-·r | 134 | ········-·rsh |
| 135 | ······tags: | 135 | ······tags: |
| 136 | ········-·service_r | 136 | ········-·service_rsh_disabled |
| 137 | ········-·high_severity | 137 | ········-·high_severity |
| 138 | ········-·disable_strategy | 138 | ········-·disable_strategy |
| 139 | ········-·low_complexity | 139 | ········-·low_complexity |
| 140 | ········-·low_disruption | 140 | ········-·low_disruption |
| 141 | ········-·CCE-27 | 141 | ········-·CCE-27337-5 |
| 142 | ········-·NIST-800-53-AC-17(8) | 142 | ········-·NIST-800-53-AC-17(8) |
| 143 | ········-·NIST-800-53-CM-7 | 143 | ········-·NIST-800-53-CM-7 |
| 144 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 144 | ········-·NIST-800-171-3.1.13 | 145 | ········-·NIST-800-171-3.1.13 |
| 145 | ········-·NIST-800-171-3.4.7 | 146 | ········-·NIST-800-171-3.4.7 |
| 146 | ···· | 147 | ···· |
| 147 | ····-·name:·Disable·service·r | 148 | ····-·name:·Disable·service·rexec |
| 148 | ······service: | 149 | ······service: |
| 149 | ········name="{{item}}" | 150 | ········name="{{item}}" |
| 150 | ········enabled="no" | 151 | ········enabled="no" |
| 151 | ········state="stopped" | 152 | ········state="stopped" |
| 152 | ······register:·service_result | 153 | ······register:·service_result |
| 153 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 154 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 154 | ······with_items: | 155 | ······with_items: |
| 155 | ········-·r | 156 | ········-·rexec |
| 156 | ······tags: | 157 | ······tags: |
| 157 | ········-·service_r | 158 | ········-·service_rexec_disabled |
| 158 | ········-·high_severity | 159 | ········-·high_severity |
| 159 | ········-·disable_strategy | 160 | ········-·disable_strategy |
| 160 | ········-·low_complexity | 161 | ········-·low_complexity |
| 161 | ········-·low_disruption | 162 | ········-·low_disruption |
| 162 | ········-·CCE-27 | 163 | ········-·CCE-27408-4 |
| 163 | ········-·NIST-800-53-AC-17(8) | 164 | ········-·NIST-800-53-AC-17(8) |
| 164 | ········-·NIST-800-53-CM-7 | 165 | ········-·NIST-800-53-CM-7 |
| 165 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 166 | ········-·NIST-800-171-3.1.13 | 166 | ········-·NIST-800-171-3.1.13 |
| 167 | ········-·NIST-800-171-3.4.7 | 167 | ········-·NIST-800-171-3.4.7 |
| 168 | ···· | 168 | ···· |
| 169 | ····-·block: | 169 | ····-·block: |
| 170 | ········-·name:·"Detect·shosts.equiv·Files·on·the·System" | 170 | ········-·name:·"Detect·shosts.equiv·Files·on·the·System" |
| 171 | ··········find: | 171 | ··········find: |
| 172 | ··············paths:·/ | 172 | ··············paths:·/ |
| Offset 274, 30 lines modified | Offset 274, 14 lines modified | ||
| 274 | ········-·disable_strategy | 274 | ········-·disable_strategy |
| 275 | ········-·low_complexity | 275 | ········-·low_complexity |
| 276 | ········-·low_disruption | 276 | ········-·low_disruption |
| 277 | ········-·CCE-80212-4 | 277 | ········-·CCE-80212-4 |
| 278 | ········-·NIST-800-53-AC-17(8) | 278 | ········-·NIST-800-53-AC-17(8) |
| 279 | ········-·NIST-800-53-CM-7 | 279 | ········-·NIST-800-53-CM-7 |
| 280 | ···· | 280 | ···· |
| 281 | ····-·name:·Ensure·tcp_wrappers·is·installed | ||
| 282 | ······package: | ||
| 283 | ········name="{{item}}" | ||
| 284 | ········state=present | ||
| 285 | ······with_items: | ||
| 286 | ········-·tcp_wrappers | ||
| 287 | ······tags: | ||
| 288 | ········-·package_tcp_wrappers_installed | ||
| 289 | ········-·medium_severity | ||
| 290 | ········-·enable_strategy | ||
| 291 | ········-·low_complexity | ||
| 292 | ········-·low_disruption | ||
| 293 | ········-·CCE-27361-5 | ||
| 294 | ········-·NIST-800-53-CM-6(b) | ||
| 295 | ········-·DISA-STIG-RHEL-07-TBD | ||
| 296 | ···· | ||
| 297 | ····-·name:·Disable·service·xinetd | 281 | ····-·name:·Disable·service·xinetd |
| 298 | ······service: | 282 | ······service: |
| 299 | ········name="{{item}}" | 283 | ········name="{{item}}" |
| Max diff block lines reached; 66690/72411 bytes (92.10%) of diff not shown. | |||
| Offset 36, 25 lines modified | Offset 36, 25 lines modified | ||
| 36 | ·········msg:·> | 36 | ·········msg:·> |
| 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·1800 | 40 | ······sshd_idle_timeout_value:·1800 |
| 41 | ······sshd_listening_port:·22 | 41 | ······sshd_listening_port:·22 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 43 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 44 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······var_accounts_minimum_age_login_defs:·1 | 47 | ······var_accounts_minimum_age_login_defs:·1 |
| 48 | ······var_account_disable_post_pw_expiration:·0 | 48 | ······var_account_disable_post_pw_expiration:·0 |
| 49 | ······var_password_pam_minlen:·12 | 49 | ······var_password_pam_minlen:·12 |
| 50 | ······var_password_pam_difok:·6 | 50 | ······var_password_pam_difok:·6 |
| 51 | ······var_accounts_max_concurrent_login_sessions:·3 | 51 | ······var_accounts_max_concurrent_login_sessions:·3 |
| 52 | ······var_auditd_action_mail_acct:·admin | ||
| 53 | ······var_auditd_max_log_file:·1 | 52 | ······var_auditd_max_log_file:·1 |
| 53 | ······var_auditd_action_mail_acct:·admin | ||
| 54 | ······var_auditd_space_left_action:·suspend | 54 | ······var_auditd_space_left_action:·suspend |
| 55 | ······var_auditd_admin_space_left_action:·suspend | 55 | ······var_auditd_admin_space_left_action:·suspend |
| 56 | ······var_auditd_max_log_file_action:·rotate | 56 | ······var_auditd_max_log_file_action:·rotate |
| 57 | ······inactivity_timeout_value:·1800 | 57 | ······inactivity_timeout_value:·1800 |
| 58 | ···tasks: | 58 | ···tasks: |
| 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords | 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords |
| 60 | ······lineinfile: | 60 | ······lineinfile: |
| Offset 368, 100 lines modified | Offset 368, 100 lines modified | ||
| 368 | ········-·NIST-800-53-SC-7 | 368 | ········-·NIST-800-53-SC-7 |
| 369 | ········-·NIST-800-171-3.1.20 | 369 | ········-·NIST-800-171-3.1.20 |
| 370 | ········-·CJIS-5.10.1.1 | 370 | ········-·CJIS-5.10.1.1 |
| 371 | ········-·DISA-STIG-RHEL-07-040620 | 371 | ········-·DISA-STIG-RHEL-07-040620 |
| 372 | ···· | 372 | ···· |
| 373 | ···· | 373 | ···· |
| 374 | ···· | 374 | ···· |
| 375 | ····-·name:·Ensure·sysctl·net.ipv4. | 375 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_redirects·is·set |
| 376 | ······sysctl: | 376 | ······sysctl: |
| 377 | ········name:·net.ipv4. | 377 | ········name:·net.ipv4.conf.default.accept_redirects |
| 378 | ········value:·"{{·sysctl_net_ipv4_ | 378 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_redirects_value·}}" |
| 379 | ········state:·present | 379 | ········state:·present |
| 380 | ········reload:·yes | 380 | ········reload:·yes |
| 381 | ······tags: | 381 | ······tags: |
| 382 | ········-·sysctl_net_ipv4_ | 382 | ········-·sysctl_net_ipv4_conf_default_accept_redirects |
| 383 | ········-·medium_severity | 383 | ········-·medium_severity |
| 384 | ········-·disable_strategy | 384 | ········-·disable_strategy |
| 385 | ········-·low_complexity | 385 | ········-·low_complexity |
| 386 | ········-·medium_disruption | 386 | ········-·medium_disruption |
| 387 | ········-·CCE-8016 | 387 | ········-·CCE-80163-9 |
| 388 | ········-·NIST-800-53-AC-4 | 388 | ········-·NIST-800-53-AC-4 |
| 389 | ········-·NIST-800-53-CM-7 | 389 | ········-·NIST-800-53-CM-7 |
| 390 | ········-·NIST-800-53-SC-5 | 390 | ········-·NIST-800-53-SC-5 |
| 391 | ········-·NIST-800-53-SC-7 | ||
| 391 | ········-·NIST-800-171-3.1.20 | 392 | ········-·NIST-800-171-3.1.20 |
| 392 | ········-·CJIS-5.10.1.1 | 393 | ········-·CJIS-5.10.1.1 |
| 393 | ········-·DISA-STIG-RHEL-07-0406 | 394 | ········-·DISA-STIG-RHEL-07-040640 |
| 394 | ···· | 395 | ···· |
| 395 | ···· | 396 | ···· |
| 396 | ···· | 397 | ···· |
| 397 | ····-·name:·Ensure·sysctl·net.ipv4.conf. | 398 | ····-·name:·Ensure·sysctl·net.ipv4.conf.all.accept_redirects·is·set |
| 398 | ······sysctl: | 399 | ······sysctl: |
| 399 | ········name:·net.ipv4.conf. | 400 | ········name:·net.ipv4.conf.all.accept_redirects |
| 400 | ········value:·"{{·sysctl_net_ipv4_conf_ | 401 | ········value:·"{{·sysctl_net_ipv4_conf_all_accept_redirects_value·}}" |
| 401 | ········state:·present | 402 | ········state:·present |
| 402 | ········reload:·yes | 403 | ········reload:·yes |
| 403 | ······tags: | 404 | ······tags: |
| 404 | ········-·sysctl_net_ipv4_conf_ | 405 | ········-·sysctl_net_ipv4_conf_all_accept_redirects |
| 405 | ········-·medium_severity | 406 | ········-·medium_severity |
| 406 | ········-·disable_strategy | 407 | ········-·disable_strategy |
| 407 | ········-·low_complexity | 408 | ········-·low_complexity |
| 408 | ········-·medium_disruption | 409 | ········-·medium_disruption |
| 409 | ········-·CCE-801 | 410 | ········-·CCE-80158-9 |
| 410 | ········-·NIST-800-53- | 411 | ········-·NIST-800-53-CM-6(d) |
| 411 | ········-·NIST-800-53-CM-7 | 412 | ········-·NIST-800-53-CM-7 |
| 412 | ········-·NIST-800-53-SC-5 | 413 | ········-·NIST-800-53-SC-5 |
| 413 | ········-·NIST-800-53-SC-7 | ||
| 414 | ········-·NIST-800-171-3.1.20 | 414 | ········-·NIST-800-171-3.1.20 |
| 415 | ········-·CJIS-5.10.1.1 | 415 | ········-·CJIS-5.10.1.1 |
| 416 | ········-·DISA-STIG-RHEL-07-04064 | 416 | ········-·DISA-STIG-RHEL-07-040641 |
| 417 | ···· | 417 | ···· |
| 418 | ···· | 418 | ···· |
| 419 | ···· | 419 | ···· |
| 420 | ····-·name:·Ensure·sysctl·net.ipv4. | 420 | ····-·name:·Ensure·sysctl·net.ipv4.icmp_echo_ignore_broadcasts·is·set |
| 421 | ······sysctl: | 421 | ······sysctl: |
| 422 | ········name:·net.ipv4. | 422 | ········name:·net.ipv4.icmp_echo_ignore_broadcasts |
| 423 | ········value:·"{{·sysctl_net_ipv4_ | 423 | ········value:·"{{·sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value·}}" |
| 424 | ········state:·present | 424 | ········state:·present |
| 425 | ········reload:·yes | 425 | ········reload:·yes |
| 426 | ······tags: | 426 | ······tags: |
| 427 | ········-·sysctl_net_ipv4_ | 427 | ········-·sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
| 428 | ········-·medium_severity | 428 | ········-·medium_severity |
| 429 | ········-·disable_strategy | 429 | ········-·disable_strategy |
| 430 | ········-·low_complexity | 430 | ········-·low_complexity |
| 431 | ········-·medium_disruption | 431 | ········-·medium_disruption |
| 432 | ········-·CCE- | 432 | ········-·CCE-80165-4 |
| 433 | ········-·NIST-800-53-AC-4 | 433 | ········-·NIST-800-53-AC-4 |
| 434 | ········-·NIST-800-53- | 434 | ········-·NIST-800-53-CM-7 |
| 435 | ········-·NIST-800-53-SC-5 | 435 | ········-·NIST-800-53-SC-5 |
| 436 | ········-·NIST-800-53-SC-5(3) | ||
| 437 | ········-·NIST-800-171-3.1.20 | 436 | ········-·NIST-800-171-3.1.20 |
| 438 | ········-·CJIS-5.10.1.1 | 437 | ········-·CJIS-5.10.1.1 |
| 438 | ········-·DISA-STIG-RHEL-07-040630 | ||
| 439 | ···· | 439 | ···· |
| 440 | ···· | 440 | ···· |
| 441 | ···· | 441 | ···· |
| 442 | ····-·name:·Ensure·sysctl·net.ipv4. | 442 | ····-·name:·Ensure·sysctl·net.ipv4.tcp_syncookies·is·set |
| 443 | ······sysctl: | 443 | ······sysctl: |
| 444 | ········name:·net.ipv4. | 444 | ········name:·net.ipv4.tcp_syncookies |
| 445 | ········value:·"{{·sysctl_net_ipv4_ | 445 | ········value:·"{{·sysctl_net_ipv4_tcp_syncookies_value·}}" |
| 446 | ········state:·present | 446 | ········state:·present |
| 447 | ········reload:·yes | 447 | ········reload:·yes |
| 448 | ······tags: | 448 | ······tags: |
| 449 | ········-·sysctl_net_ipv4_ | 449 | ········-·sysctl_net_ipv4_tcp_syncookies |
| 450 | ········-·medium_severity | 450 | ········-·medium_severity |
| 451 | ········-·disable_strategy | 451 | ········-·disable_strategy |
| 452 | ········-·low_complexity | 452 | ········-·low_complexity |
| 453 | ········-·medium_disruption | 453 | ········-·medium_disruption |
| 454 | ········-·CCE- | 454 | ········-·CCE-27495-1 |
| 455 | ········-·NIST-800-53- | 455 | ········-·NIST-800-53-AC-4 |
| 456 | ········-·NIST-800-53-C | 456 | ········-·NIST-800-53-SC-5(1)(2) |
| 457 | ········-·NIST-800-53-SC-5 | 457 | ········-·NIST-800-53-SC-5(2) |
| 458 | ········-·NIST-800-53-SC-5(3) | ||
| 458 | ········-·NIST-800-171-3.1.20 | 459 | ········-·NIST-800-171-3.1.20 |
| 459 | ········-·CJIS-5.10.1.1 | 460 | ········-·CJIS-5.10.1.1 |
| 460 | ········-·DISA-STIG-RHEL-07-040641 | ||
| 461 | ···· | 461 | ···· |
| 462 | ····-·name:·Ensure·sysctl·net.ipv4.conf.all.send_redirects·is·set·to·0 | 462 | ····-·name:·Ensure·sysctl·net.ipv4.conf.all.send_redirects·is·set·to·0 |
| Max diff block lines reached; 34274/39699 bytes (86.33%) of diff not shown. | |||
| Offset 81, 54 lines modified | Offset 81, 54 lines modified | ||
| 81 | ········-·CCE-27336-7 | 81 | ········-·CCE-27336-7 |
| 82 | ········-·NIST-800-53-AC-17(8) | 82 | ········-·NIST-800-53-AC-17(8) |
| 83 | ········-·NIST-800-53-CM-7 | 83 | ········-·NIST-800-53-CM-7 |
| 84 | ········-·NIST-800-53-IA-5(1)(c) | 84 | ········-·NIST-800-53-IA-5(1)(c) |
| 85 | ········-·NIST-800-171-3.1.13 | 85 | ········-·NIST-800-171-3.1.13 |
| 86 | ········-·NIST-800-171-3.4.7 | 86 | ········-·NIST-800-171-3.4.7 |
| 87 | ···· | 87 | ···· |
| 88 | ····-·name:·Disable·service·r | 88 | ····-·name:·Disable·service·rsh |
| 89 | ······service: | 89 | ······service: |
| 90 | ········name="{{item}}" | 90 | ········name="{{item}}" |
| 91 | ········enabled="no" | 91 | ········enabled="no" |
| 92 | ········state="stopped" | 92 | ········state="stopped" |
| 93 | ······register:·service_result | 93 | ······register:·service_result |
| 94 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 94 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 95 | ······with_items: | 95 | ······with_items: |
| 96 | ········-·r | 96 | ········-·rsh |
| 97 | ······tags: | 97 | ······tags: |
| 98 | ········-·service_r | 98 | ········-·service_rsh_disabled |
| 99 | ········-·high_severity | 99 | ········-·high_severity |
| 100 | ········-·disable_strategy | 100 | ········-·disable_strategy |
| 101 | ········-·low_complexity | 101 | ········-·low_complexity |
| 102 | ········-·low_disruption | 102 | ········-·low_disruption |
| 103 | ········-·CCE-27 | 103 | ········-·CCE-27337-5 |
| 104 | ········-·NIST-800-53-AC-17(8) | 104 | ········-·NIST-800-53-AC-17(8) |
| 105 | ········-·NIST-800-53-CM-7 | 105 | ········-·NIST-800-53-CM-7 |
| 106 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 106 | ········-·NIST-800-171-3.1.13 | 107 | ········-·NIST-800-171-3.1.13 |
| 107 | ········-·NIST-800-171-3.4.7 | 108 | ········-·NIST-800-171-3.4.7 |
| 108 | ···· | 109 | ···· |
| 109 | ····-·name:·Disable·service·r | 110 | ····-·name:·Disable·service·rexec |
| 110 | ······service: | 111 | ······service: |
| 111 | ········name="{{item}}" | 112 | ········name="{{item}}" |
| 112 | ········enabled="no" | 113 | ········enabled="no" |
| 113 | ········state="stopped" | 114 | ········state="stopped" |
| 114 | ······register:·service_result | 115 | ······register:·service_result |
| 115 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 116 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 116 | ······with_items: | 117 | ······with_items: |
| 117 | ········-·r | 118 | ········-·rexec |
| 118 | ······tags: | 119 | ······tags: |
| 119 | ········-·service_r | 120 | ········-·service_rexec_disabled |
| 120 | ········-·high_severity | 121 | ········-·high_severity |
| 121 | ········-·disable_strategy | 122 | ········-·disable_strategy |
| 122 | ········-·low_complexity | 123 | ········-·low_complexity |
| 123 | ········-·low_disruption | 124 | ········-·low_disruption |
| 124 | ········-·CCE-27 | 125 | ········-·CCE-27408-4 |
| 125 | ········-·NIST-800-53-AC-17(8) | 126 | ········-·NIST-800-53-AC-17(8) |
| 126 | ········-·NIST-800-53-CM-7 | 127 | ········-·NIST-800-53-CM-7 |
| 127 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 128 | ········-·NIST-800-171-3.1.13 | 128 | ········-·NIST-800-171-3.1.13 |
| 129 | ········-·NIST-800-171-3.4.7 | 129 | ········-·NIST-800-171-3.4.7 |
| 130 | ···· | 130 | ···· |
| 131 | ····-·name:·Ensure·rsh-server·is·removed | 131 | ····-·name:·Ensure·rsh-server·is·removed |
| 132 | ······package: | 132 | ······package: |
| 133 | ········name="{{item}}" | 133 | ········name="{{item}}" |
| 134 | ········state=absent | 134 | ········state=absent |
| Offset 899, 30 lines modified | Offset 899, 14 lines modified | ||
| 899 | ········-·NIST-800-53-AC-6 | 899 | ········-·NIST-800-53-AC-6 |
| 900 | ········-·NIST-800-53-AU-9 | 900 | ········-·NIST-800-53-AU-9 |
| 901 | ········-·NIST-800-53-SI-6(a) | 901 | ········-·NIST-800-53-SI-6(a) |
| 902 | ········-·NIST-800-171-3.1.2 | 902 | ········-·NIST-800-171-3.1.2 |
| 903 | ········-·NIST-800-171-3.7.2 | 903 | ········-·NIST-800-171-3.7.2 |
| 904 | ········-·DISA-STIG-RHEL-07-020210 | 904 | ········-·DISA-STIG-RHEL-07-020210 |
| 905 | ···· | 905 | ···· |
| 906 | ····-·name:·"Restrict·Serial·Port·Root·Logins" | ||
| 907 | ······lineinfile: | ||
| 908 | ········dest:·/etc/securetty | ||
| 909 | ········regexp:·'ttyS[0-9]' | ||
| 910 | ········state:·absent | ||
| 911 | ······tags: | ||
| 912 | ········-·restrict_serial_port_logins | ||
| 913 | ········-·unknown_severity | ||
| 914 | ········-·restrict_strategy | ||
| 915 | ········-·low_complexity | ||
| 916 | ········-·low_disruption | ||
| 917 | ········-·CCE-27268-2 | ||
| 918 | ········-·NIST-800-53-AC-6(2) | ||
| 919 | ········-·NIST-800-171-3.1.1 | ||
| 920 | ········-·NIST-800-171-3.1.5 | ||
| 921 | ···· | ||
| 922 | ····-·name:·"Direct·root·Logins·Not·Allowed" | 906 | ····-·name:·"Direct·root·Logins·Not·Allowed" |
| 923 | ······shell:·echo·>·/etc/securetty | 907 | ······shell:·echo·>·/etc/securetty |
| 924 | ······tags: | 908 | ······tags: |
| 925 | ········-·no_direct_root_logins | 909 | ········-·no_direct_root_logins |
| 926 | ········-·medium_severity | 910 | ········-·medium_severity |
| 927 | ········-·restrict_strategy | 911 | ········-·restrict_strategy |
| 928 | ········-·low_complexity | 912 | ········-·low_complexity |
| Offset 944, 14 lines modified | Offset 928, 30 lines modified | ||
| 944 | ········-·low_complexity | 928 | ········-·low_complexity |
| 945 | ········-·low_disruption | 929 | ········-·low_disruption |
| 946 | ········-·CCE-27318-5 | 930 | ········-·CCE-27318-5 |
| 947 | ········-·NIST-800-53-AC-6(2) | 931 | ········-·NIST-800-53-AC-6(2) |
| 948 | ········-·NIST-800-171-3.1.1 | 932 | ········-·NIST-800-171-3.1.1 |
| 949 | ········-·NIST-800-171-3.1.5 | 933 | ········-·NIST-800-171-3.1.5 |
| 950 | ···· | 934 | ···· |
| 935 | ····-·name:·"Restrict·Serial·Port·Root·Logins" | ||
| 936 | ······lineinfile: | ||
| 937 | ········dest:·/etc/securetty | ||
| 938 | ········regexp:·'ttyS[0-9]' | ||
| 939 | ········state:·absent | ||
| 940 | ······tags: | ||
| 941 | ········-·restrict_serial_port_logins | ||
| 942 | ········-·unknown_severity | ||
| 943 | ········-·restrict_strategy | ||
| 944 | ········-·low_complexity | ||
| 945 | ········-·low_disruption | ||
| 946 | ········-·CCE-27268-2 | ||
| 947 | ········-·NIST-800-53-AC-6(2) | ||
| 948 | ········-·NIST-800-171-3.1.1 | ||
| 949 | ········-·NIST-800-171-3.1.5 | ||
| 950 | ···· | ||
| 951 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" | 951 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" |
| 952 | ······replace: | 952 | ······replace: |
| 953 | ········dest:·/etc/pam.d/system-auth | 953 | ········dest:·/etc/pam.d/system-auth |
| 954 | ········follow:·yes | 954 | ········follow:·yes |
| 955 | ········regexp:·'nullok' | 955 | ········regexp:·'nullok' |
| 956 | ······tags: | 956 | ······tags: |
| 957 | ········-·no_empty_passwords | 957 | ········-·no_empty_passwords |
| Offset 1025, 59 lines modified | Offset 1025, 14 lines modified | ||
| 1025 | ········-·medium_severity | 1025 | ········-·medium_severity |
| 1026 | ········-·disable_strategy | 1026 | ········-·disable_strategy |
| 1027 | ········-·low_complexity | 1027 | ········-·low_complexity |
| 1028 | ········-·low_disruption | 1028 | ········-·low_disruption |
| 1029 | ········-·CCE-80206-6 | 1029 | ········-·CCE-80206-6 |
| 1030 | ········-·NIST-800-171-3.4.5 | 1030 | ········-·NIST-800-171-3.4.5 |
| 1031 | ···· | 1031 | ···· |
| 1032 | ····-·name:·Ensure·kernel·module·'usb-storage'·is·disabled | ||
| 1033 | ······lineinfile: | ||
| Max diff block lines reached; 61653/66721 bytes (92.40%) of diff not shown. | |||
| Offset 56, 86 lines modified | Offset 56, 86 lines modified | ||
| 56 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 56 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 57 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | 57 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 |
| 58 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 58 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 59 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 59 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 60 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 60 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 61 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 61 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 62 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 62 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 63 | ······sysctl_net_ipv4_icmp_ | 63 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 64 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 64 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 65 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 65 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 66 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 66 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 67 | ······sysctl_net_ipv4_conf_ | 67 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 68 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 69 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 68 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 70 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 69 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 71 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 70 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 72 | ······sysctl_net_ipv4_ | 71 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 73 | ······sysctl_net_ipv4_c | 72 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 73 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 74 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 | 74 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 75 | ······var_ssh_sysadm_login:·false | 75 | ······var_ssh_sysadm_login:·false |
| 76 | ······var_login_console_enabled:·true | ||
| 77 | ······var_auditadm_exec_content:·true | 76 | ······var_auditadm_exec_content:·true |
| 78 | ······var_selinuxuser_execstack:·true | 77 | ······var_selinuxuser_execstack:·true |
| 79 | ······var_gpg_web_anon_write:·false | ||
| 80 | ······var_mount_anyfile:·true | 78 | ······var_mount_anyfile:·true |
| 81 | ······var_se | 79 | ······var_selinuxuser_tcp_server:·false |
| 82 | ······var_daemons_use_tcp_wrapper:·false | 80 | ······var_daemons_use_tcp_wrapper:·false |
| 81 | ······var_cron_can_relabel:·false | ||
| 83 | ······var_user_exec_content:·true | 82 | ······var_user_exec_content:·true |
| 84 | ······var_deny_ptrace:·false | 83 | ······var_deny_ptrace:·false |
| 85 | ······var_ | 84 | ······var_secure_mode:·false |
| 85 | ······var_xdm_write_home:·false | ||
| 86 | ······var_xserver_object_manager:·false | 86 | ······var_xserver_object_manager:·false |
| 87 | ······var_xdm_sysadm_login:·false | 87 | ······var_xdm_sysadm_login:·false |
| 88 | ······var_selinuxuser_mysql_connect_enabled:·false | 88 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 89 | ······var_ssh_keysign:·false | ||
| 90 | ······var_xserver_execmem:·false | ||
| 91 | ······var_cron_userdomain_transition:·true | 89 | ······var_cron_userdomain_transition:·true |
| 92 | ······var_secure_mode_insmod:·false | ||
| 93 | ······var_xguest_mount_media:·true | 90 | ······var_xguest_mount_media:·true |
| 94 | ······var_selinuxuser_rw_noexattrfile:·true | 91 | ······var_selinuxuser_rw_noexattrfile:·true |
| 95 | ······var_deny_execmem:·false | 92 | ······var_deny_execmem:·false |
| 96 | ······var_ | 93 | ······var_gpg_web_anon_write:·false |
| 97 | ······var_secure_mode_policyload:·false | ||
| 98 | ······var_abrt_anon_write:·false | 94 | ······var_abrt_anon_write:·false |
| 99 | ······var_ | 95 | ······var_ssh_chroot_rw_homedirs:·false |
| 100 | ······var_logging_syslogd_use_tty:·true | 96 | ······var_logging_syslogd_use_tty:·true |
| 97 | ······var_login_console_enabled:·true | ||
| 101 | ······var_abrt_handle_event:·false | 98 | ······var_abrt_handle_event:·false |
| 99 | ······var_mock_enable_homedirs:·false | ||
| 102 | ······var_unconfined_login:·true | 100 | ······var_unconfined_login:·true |
| 101 | ······var_logging_syslogd_can_sendmail:·false | ||
| 103 | ······var_selinuxuser_postgresql_connect_enabled:·false | 102 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 104 | ······var_abrt_upload_watch_anon_write:·true | 103 | ······var_abrt_upload_watch_anon_write:·true |
| 105 | ······var_daemons_use_tty:·false | 104 | ······var_daemons_use_tty:·false |
| 106 | ······var_selinuxuser_tcp_server:·false | ||
| 107 | ······var_cron_can_relabel:·false | ||
| 108 | ······var_staff_exec_content:·true | ||
| 109 | ······var_selinuxuser_direct_dri_enabled:·true | 105 | ······var_selinuxuser_direct_dri_enabled:·true |
| 106 | ······var_xdm_bind_vnc_tcp_port:·false | ||
| 107 | ······var_xserver_execmem:·false | ||
| 110 | ······var_xserver_clients_write_xshm:·false | 108 | ······var_xserver_clients_write_xshm:·false |
| 111 | ······var_use_ecryptfs_home_dirs:·false | 109 | ······var_use_ecryptfs_home_dirs:·false |
| 112 | ······var_mock_enable_homedirs:·false | ||
| 113 | ······var_xguest_exec_content:·true | 110 | ······var_xguest_exec_content:·true |
| 114 | ······var_ | 111 | ······var_domain_kernel_load_modules:·false |
| 115 | ······var_ | 112 | ······var_ssh_keysign:·false |
| 116 | ······var_ | 113 | ······var_secure_mode_insmod:·false |
| 117 | ······var_selinuxuser_ | 114 | ······var_selinuxuser_execmod:·true |
| 115 | ······var_staff_exec_content:·true | ||
| 118 | ······var_mmap_low_allowed:·false | 116 | ······var_mmap_low_allowed:·false |
| 119 | ······var_selinuxuser_share_music:·false | 117 | ······var_selinuxuser_share_music:·false |
| 120 | ······var_ | 118 | ······var_domain_fd_use:·true |
| 119 | ······var_selinuxuser_udp_server:·false | ||
| 121 | ······var_cron_system_cronjob_use_shares:·false | 120 | ······var_cron_system_cronjob_use_shares:·false |
| 121 | ······var_logadm_exec_content:·true | ||
| 122 | ······var_xguest_connect_network:·true | 122 | ······var_xguest_connect_network:·true |
| 123 | ······var_xdm_write_home:·false | ||
| 124 | ······var_sysadm_exec_content:·true | 123 | ······var_sysadm_exec_content:·true |
| 125 | ······var_xguest_use_bluetooth:·true | 124 | ······var_xguest_use_bluetooth:·true |
| 126 | ······var_ | 125 | ······var_kerberos_enabled:·true |
| 127 | ······var_ | 126 | ······var_guest_exec_content:·true |
| 128 | ······var_daemons_dump_core:·false | 127 | ······var_daemons_dump_core:·false |
| 129 | ······var_xdm_exec_bootloader:·false | 128 | ······var_xdm_exec_bootloader:·false |
| 130 | ······var_fips_mode:·true | 129 | ······var_fips_mode:·true |
| 131 | ······var_polyinstantiation_enabled:·false | 130 | ······var_polyinstantiation_enabled:·false |
| 132 | ······var_domain_kernel_load_modules:·false | ||
| 133 | ······var_selinuxuser_use_ssh_chroot:·false | 131 | ······var_selinuxuser_use_ssh_chroot:·false |
| 134 | ······var_selinuxuser_ping:·true | 132 | ······var_selinuxuser_ping:·true |
| 133 | ······var_secure_mode_policyload:·false | ||
| 134 | ······var_selinuxuser_execheap:·false | ||
| 135 | ······var_secadm_exec_content:·true | 135 | ······var_secadm_exec_content:·true |
| 136 | ······var_selinux_policy_name:·targeted | 136 | ······var_selinux_policy_name:·targeted |
| 137 | ······var_selinux_state:·enforcing | 137 | ······var_selinux_state:·enforcing |
| 138 | ······var_accounts_password_minlen_login_defs:·6 | 138 | ······var_accounts_password_minlen_login_defs:·6 |
| 139 | ······var_accounts_password_warn_age_login_defs:·7 | 139 | ······var_accounts_password_warn_age_login_defs:·7 |
| 140 | ······var_accounts_minimum_age_login_defs:·7 | 140 | ······var_accounts_minimum_age_login_defs:·7 |
| 141 | ······var_accounts_maximum_age_login_defs:·60 | 141 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 155, 22 lines modified | Offset 155, 22 lines modified | ||
| 155 | ······var_password_pam_difok:·8 | 155 | ······var_password_pam_difok:·8 |
| 156 | ······var_password_pam_ocredit:·-1 | 156 | ······var_password_pam_ocredit:·-1 |
| 157 | ······var_password_pam_lcredit:·-1 | 157 | ······var_password_pam_lcredit:·-1 |
| 158 | ······var_password_pam_ucredit:·-1 | 158 | ······var_password_pam_ucredit:·-1 |
| 159 | ······var_password_pam_retry:·3 | 159 | ······var_password_pam_retry:·3 |
| 160 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 160 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 161 | ······var_accounts_user_umask:·077 | 161 | ······var_accounts_user_umask:·077 |
| 162 | ······var_accounts_tmout:·600 | ||
| 163 | ······var_accounts_fail_delay:·4 | 162 | ······var_accounts_fail_delay:·4 |
| 164 | ······var_accounts_max_concurrent_login_sessions:·10 | 163 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 164 | ······var_accounts_tmout:·600 | ||
| 165 | ······var_removable_partition:·/dev/cdrom | 165 | ······var_removable_partition:·/dev/cdrom |
| 166 | ······var_removable_partition:·/dev/cdrom | 166 | ······var_removable_partition:·/dev/cdrom |
| 167 | ······var_removable_partition:·/dev/cdrom | 167 | ······var_removable_partition:·/dev/cdrom |
| 168 | ······var_auditd_action_mail_acct:·root | ||
| 169 | ······var_auditd_max_log_file:·6 | 168 | ······var_auditd_max_log_file:·6 |
| 169 | ······var_auditd_action_mail_acct:·root | ||
| 170 | ······var_auditd_space_left_action:·email | 170 | ······var_auditd_space_left_action:·email |
| 171 | ······var_auditd_admin_space_left_action:·single | 171 | ······var_auditd_admin_space_left_action:·single |
| 172 | ······var_auditd_max_log_file_action:·rotate | 172 | ······var_auditd_max_log_file_action:·rotate |
| 173 | ······inactivity_timeout_value:·600 | 173 | ······inactivity_timeout_value:·600 |
| 174 | ···tasks: | 174 | ···tasks: |
| 175 | ····-·name:·Ensure·rsh·is·removed | 175 | ····-·name:·Ensure·rsh·is·removed |
| 176 | ······package: | 176 | ······package: |
| Offset 205, 54 lines modified | Offset 205, 54 lines modified | ||
| 205 | ········-·CCE-27336-7 | 205 | ········-·CCE-27336-7 |
| 206 | ········-·NIST-800-53-AC-17(8) | 206 | ········-·NIST-800-53-AC-17(8) |
| Max diff block lines reached; 130856/137699 bytes (95.03%) of diff not shown. | |||
| Offset 67, 86 lines modified | Offset 67, 86 lines modified | ||
| 67 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 67 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 68 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | 68 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 |
| 69 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 69 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 70 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 70 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 71 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 71 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 72 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 72 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 73 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 73 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 74 | ······sysctl_net_ipv4_icmp_ | 74 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 75 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 75 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 76 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 76 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 77 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 77 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 78 | ······sysctl_net_ipv4_conf_ | 78 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 79 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 80 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 79 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 81 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 80 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 82 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 81 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 83 | ······sysctl_net_ipv4_ | 82 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 84 | ······sysctl_net_ipv4_c | 83 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 84 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 85 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 | 85 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 86 | ······var_ssh_sysadm_login:·false | 86 | ······var_ssh_sysadm_login:·false |
| 87 | ······var_login_console_enabled:·true | ||
| 88 | ······var_auditadm_exec_content:·true | 87 | ······var_auditadm_exec_content:·true |
| 89 | ······var_selinuxuser_execstack:·true | 88 | ······var_selinuxuser_execstack:·true |
| 90 | ······var_gpg_web_anon_write:·false | ||
| 91 | ······var_mount_anyfile:·true | 89 | ······var_mount_anyfile:·true |
| 92 | ······var_se | 90 | ······var_selinuxuser_tcp_server:·false |
| 93 | ······var_daemons_use_tcp_wrapper:·false | 91 | ······var_daemons_use_tcp_wrapper:·false |
| 92 | ······var_cron_can_relabel:·false | ||
| 94 | ······var_user_exec_content:·true | 93 | ······var_user_exec_content:·true |
| 95 | ······var_deny_ptrace:·false | 94 | ······var_deny_ptrace:·false |
| 96 | ······var_ | 95 | ······var_secure_mode:·false |
| 96 | ······var_xdm_write_home:·false | ||
| 97 | ······var_xserver_object_manager:·false | 97 | ······var_xserver_object_manager:·false |
| 98 | ······var_xdm_sysadm_login:·false | 98 | ······var_xdm_sysadm_login:·false |
| 99 | ······var_selinuxuser_mysql_connect_enabled:·false | 99 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 100 | ······var_ssh_keysign:·false | ||
| 101 | ······var_xserver_execmem:·false | ||
| 102 | ······var_cron_userdomain_transition:·true | 100 | ······var_cron_userdomain_transition:·true |
| 103 | ······var_secure_mode_insmod:·false | ||
| 104 | ······var_xguest_mount_media:·true | 101 | ······var_xguest_mount_media:·true |
| 105 | ······var_selinuxuser_rw_noexattrfile:·true | 102 | ······var_selinuxuser_rw_noexattrfile:·true |
| 106 | ······var_deny_execmem:·false | 103 | ······var_deny_execmem:·false |
| 107 | ······var_ | 104 | ······var_gpg_web_anon_write:·false |
| 108 | ······var_secure_mode_policyload:·false | ||
| 109 | ······var_abrt_anon_write:·false | 105 | ······var_abrt_anon_write:·false |
| 110 | ······var_ | 106 | ······var_ssh_chroot_rw_homedirs:·false |
| 111 | ······var_logging_syslogd_use_tty:·true | 107 | ······var_logging_syslogd_use_tty:·true |
| 108 | ······var_login_console_enabled:·true | ||
| 112 | ······var_abrt_handle_event:·false | 109 | ······var_abrt_handle_event:·false |
| 110 | ······var_mock_enable_homedirs:·false | ||
| 113 | ······var_unconfined_login:·true | 111 | ······var_unconfined_login:·true |
| 112 | ······var_logging_syslogd_can_sendmail:·false | ||
| 114 | ······var_selinuxuser_postgresql_connect_enabled:·false | 113 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 115 | ······var_abrt_upload_watch_anon_write:·true | 114 | ······var_abrt_upload_watch_anon_write:·true |
| 116 | ······var_daemons_use_tty:·false | 115 | ······var_daemons_use_tty:·false |
| 117 | ······var_selinuxuser_tcp_server:·false | ||
| 118 | ······var_cron_can_relabel:·false | ||
| 119 | ······var_staff_exec_content:·true | ||
| 120 | ······var_selinuxuser_direct_dri_enabled:·true | 116 | ······var_selinuxuser_direct_dri_enabled:·true |
| 117 | ······var_xdm_bind_vnc_tcp_port:·false | ||
| 118 | ······var_xserver_execmem:·false | ||
| 121 | ······var_xserver_clients_write_xshm:·false | 119 | ······var_xserver_clients_write_xshm:·false |
| 122 | ······var_use_ecryptfs_home_dirs:·false | 120 | ······var_use_ecryptfs_home_dirs:·false |
| 123 | ······var_mock_enable_homedirs:·false | ||
| 124 | ······var_xguest_exec_content:·true | 121 | ······var_xguest_exec_content:·true |
| 125 | ······var_ | 122 | ······var_domain_kernel_load_modules:·false |
| 126 | ······var_ | 123 | ······var_ssh_keysign:·false |
| 127 | ······var_ | 124 | ······var_secure_mode_insmod:·false |
| 128 | ······var_selinuxuser_ | 125 | ······var_selinuxuser_execmod:·true |
| 126 | ······var_staff_exec_content:·true | ||
| 129 | ······var_mmap_low_allowed:·false | 127 | ······var_mmap_low_allowed:·false |
| 130 | ······var_selinuxuser_share_music:·false | 128 | ······var_selinuxuser_share_music:·false |
| 131 | ······var_ | 129 | ······var_domain_fd_use:·true |
| 130 | ······var_selinuxuser_udp_server:·false | ||
| 132 | ······var_cron_system_cronjob_use_shares:·false | 131 | ······var_cron_system_cronjob_use_shares:·false |
| 132 | ······var_logadm_exec_content:·true | ||
| 133 | ······var_xguest_connect_network:·true | 133 | ······var_xguest_connect_network:·true |
| 134 | ······var_xdm_write_home:·false | ||
| 135 | ······var_sysadm_exec_content:·true | 134 | ······var_sysadm_exec_content:·true |
| 136 | ······var_xguest_use_bluetooth:·true | 135 | ······var_xguest_use_bluetooth:·true |
| 137 | ······var_ | 136 | ······var_kerberos_enabled:·true |
| 138 | ······var_ | 137 | ······var_guest_exec_content:·true |
| 139 | ······var_daemons_dump_core:·false | 138 | ······var_daemons_dump_core:·false |
| 140 | ······var_xdm_exec_bootloader:·false | 139 | ······var_xdm_exec_bootloader:·false |
| 141 | ······var_fips_mode:·true | 140 | ······var_fips_mode:·true |
| 142 | ······var_polyinstantiation_enabled:·false | 141 | ······var_polyinstantiation_enabled:·false |
| 143 | ······var_domain_kernel_load_modules:·false | ||
| 144 | ······var_selinuxuser_use_ssh_chroot:·false | 142 | ······var_selinuxuser_use_ssh_chroot:·false |
| 145 | ······var_selinuxuser_ping:·true | 143 | ······var_selinuxuser_ping:·true |
| 144 | ······var_secure_mode_policyload:·false | ||
| 145 | ······var_selinuxuser_execheap:·false | ||
| 146 | ······var_secadm_exec_content:·true | 146 | ······var_secadm_exec_content:·true |
| 147 | ······var_selinux_policy_name:·targeted | 147 | ······var_selinux_policy_name:·targeted |
| 148 | ······var_selinux_state:·enforcing | 148 | ······var_selinux_state:·enforcing |
| 149 | ······var_accounts_password_minlen_login_defs:·6 | 149 | ······var_accounts_password_minlen_login_defs:·6 |
| 150 | ······var_accounts_password_warn_age_login_defs:·7 | 150 | ······var_accounts_password_warn_age_login_defs:·7 |
| 151 | ······var_accounts_minimum_age_login_defs:·7 | 151 | ······var_accounts_minimum_age_login_defs:·7 |
| 152 | ······var_accounts_maximum_age_login_defs:·60 | 152 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 166, 22 lines modified | Offset 166, 22 lines modified | ||
| 166 | ······var_password_pam_difok:·8 | 166 | ······var_password_pam_difok:·8 |
| 167 | ······var_password_pam_ocredit:·-1 | 167 | ······var_password_pam_ocredit:·-1 |
| 168 | ······var_password_pam_lcredit:·-1 | 168 | ······var_password_pam_lcredit:·-1 |
| 169 | ······var_password_pam_ucredit:·-1 | 169 | ······var_password_pam_ucredit:·-1 |
| 170 | ······var_password_pam_retry:·3 | 170 | ······var_password_pam_retry:·3 |
| 171 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 171 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 172 | ······var_accounts_user_umask:·077 | 172 | ······var_accounts_user_umask:·077 |
| 173 | ······var_accounts_tmout:·600 | ||
| 174 | ······var_accounts_fail_delay:·4 | 173 | ······var_accounts_fail_delay:·4 |
| 175 | ······var_accounts_max_concurrent_login_sessions:·10 | 174 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 175 | ······var_accounts_tmout:·600 | ||
| 176 | ······var_removable_partition:·/dev/cdrom | 176 | ······var_removable_partition:·/dev/cdrom |
| 177 | ······var_removable_partition:·/dev/cdrom | 177 | ······var_removable_partition:·/dev/cdrom |
| 178 | ······var_removable_partition:·/dev/cdrom | 178 | ······var_removable_partition:·/dev/cdrom |
| 179 | ······var_auditd_action_mail_acct:·root | ||
| 180 | ······var_auditd_max_log_file:·6 | 179 | ······var_auditd_max_log_file:·6 |
| 180 | ······var_auditd_action_mail_acct:·root | ||
| 181 | ······var_auditd_space_left_action:·email | 181 | ······var_auditd_space_left_action:·email |
| 182 | ······var_auditd_admin_space_left_action:·single | 182 | ······var_auditd_admin_space_left_action:·single |
| 183 | ······var_auditd_max_log_file_action:·rotate | 183 | ······var_auditd_max_log_file_action:·rotate |
| 184 | ······inactivity_timeout_value:·900 | 184 | ······inactivity_timeout_value:·900 |
| 185 | ···tasks: | 185 | ···tasks: |
| 186 | ····-·name:·Ensure·rsh·is·removed | 186 | ····-·name:·Ensure·rsh·is·removed |
| 187 | ······package: | 187 | ······package: |
| Offset 216, 54 lines modified | Offset 216, 54 lines modified | ||
| 216 | ········-·CCE-27336-7 | 216 | ········-·CCE-27336-7 |
| 217 | ········-·NIST-800-53-AC-17(8) | 217 | ········-·NIST-800-53-AC-17(8) |
| Max diff block lines reached; 130856/137699 bytes (95.03%) of diff not shown. | |||
| Offset 40, 16 lines modified | Offset 40, 16 lines modified | ||
| 40 | ······var_accounts_passwords_pam_faillock_deny:·6 | 40 | ······var_accounts_passwords_pam_faillock_deny:·6 |
| 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 | 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 |
| 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 43 | ······var_password_pam_minlen:·7 | 43 | ······var_password_pam_minlen:·7 |
| 44 | ······var_password_pam_dcredit:·-1 | 44 | ······var_password_pam_dcredit:·-1 |
| 45 | ······var_password_pam_lcredit:·-1 | 45 | ······var_password_pam_lcredit:·-1 |
| 46 | ······var_password_pam_ucredit:·-1 | 46 | ······var_password_pam_ucredit:·-1 |
| 47 | ······var_auditd_action_mail_acct:·admin | ||
| 48 | ······var_auditd_max_log_file:·1 | 47 | ······var_auditd_max_log_file:·1 |
| 48 | ······var_auditd_action_mail_acct:·admin | ||
| 49 | ······var_auditd_space_left_action:·suspend | 49 | ······var_auditd_space_left_action:·suspend |
| 50 | ······var_auditd_admin_space_left_action:·suspend | 50 | ······var_auditd_admin_space_left_action:·suspend |
| 51 | ······var_auditd_max_log_file_action:·rotate | 51 | ······var_auditd_max_log_file_action:·rotate |
| 52 | ······inactivity_timeout_value:·900 | 52 | ······inactivity_timeout_value:·900 |
| 53 | ···tasks: | 53 | ···tasks: |
| 54 | ···· | 54 | ···· |
| 55 | ···· | 55 | ···· |
| Offset 113, 37 lines modified | Offset 113, 14 lines modified | ||
| 113 | ········-·NIST-800-53-IA-5(g) | 113 | ········-·NIST-800-53-IA-5(g) |
| 114 | ········-·NIST-800-53-IA-5(1)(d) | 114 | ········-·NIST-800-53-IA-5(1)(d) |
| 115 | ········-·NIST-800-171-3.5.6 | 115 | ········-·NIST-800-171-3.5.6 |
| 116 | ········-·PCI-DSS-Req-8.2.4 | 116 | ········-·PCI-DSS-Req-8.2.4 |
| 117 | ········-·CJIS-5.6.2.1 | 117 | ········-·CJIS-5.6.2.1 |
| 118 | ········-·DISA-STIG-RHEL-07-010250 | 118 | ········-·DISA-STIG-RHEL-07-010250 |
| 119 | ···· | 119 | ···· |
| 120 | ···· | ||
| 121 | ···· | ||
| 122 | ····-·name:·Set·Account·Expiration·Following·Inactivity | ||
| 123 | ······lineinfile: | ||
| 124 | ········create:·yes | ||
| 125 | ········dest:·/etc/default/useradd | ||
| 126 | ········regexp:·^INACTIVE | ||
| 127 | ········line:·"INACTIVE={{·var_account_disable_post_pw_expiration·}}" | ||
| 128 | ······tags: | ||
| 129 | ········-·account_disable_post_pw_expiration | ||
| 130 | ········-·medium_severity | ||
| 131 | ········-·restrict_strategy | ||
| 132 | ········-·low_complexity | ||
| 133 | ········-·low_disruption | ||
| 134 | ········-·CCE-27355-7 | ||
| 135 | ········-·NIST-800-53-AC-2(2) | ||
| 136 | ········-·NIST-800-53-AC-2(3) | ||
| 137 | ········-·NIST-800-53-IA-4(e) | ||
| 138 | ········-·NIST-800-171-3.5.6 | ||
| 139 | ········-·PCI-DSS-Req-8.1.4 | ||
| 140 | ········-·CJIS-5.6.2.1.1 | ||
| 141 | ········-·DISA-STIG-RHEL-07-010310 | ||
| 142 | ···· | ||
| 143 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" | 120 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" |
| 144 | ······replace: | 121 | ······replace: |
| 145 | ········dest:·/etc/pam.d/system-auth | 122 | ········dest:·/etc/pam.d/system-auth |
| 146 | ········follow:·yes | 123 | ········follow:·yes |
| 147 | ········regexp:·'nullok' | 124 | ········regexp:·'nullok' |
| 148 | ······tags: | 125 | ······tags: |
| 149 | ········-·no_empty_passwords | 126 | ········-·no_empty_passwords |
| Offset 180, 14 lines modified | Offset 157, 37 lines modified | ||
| 180 | ········-·NIST-800-53-IA-5(1)(a) | 157 | ········-·NIST-800-53-IA-5(1)(a) |
| 181 | ········-·NIST-800-171-3.1.1 | 158 | ········-·NIST-800-171-3.1.1 |
| 182 | ········-·NIST-800-171-3.1.5 | 159 | ········-·NIST-800-171-3.1.5 |
| 183 | ········-·PCI-DSS-Req-8.2.3 | 160 | ········-·PCI-DSS-Req-8.2.3 |
| 184 | ········-·CJIS-5.5.2 | 161 | ········-·CJIS-5.5.2 |
| 185 | ········-·DISA-STIG-RHEL-07-010290 | 162 | ········-·DISA-STIG-RHEL-07-010290 |
| 186 | ···· | 163 | ···· |
| 164 | ···· | ||
| 165 | ···· | ||
| 166 | ····-·name:·Set·Account·Expiration·Following·Inactivity | ||
| 167 | ······lineinfile: | ||
| 168 | ········create:·yes | ||
| 169 | ········dest:·/etc/default/useradd | ||
| 170 | ········regexp:·^INACTIVE | ||
| 171 | ········line:·"INACTIVE={{·var_account_disable_post_pw_expiration·}}" | ||
| 172 | ······tags: | ||
| 173 | ········-·account_disable_post_pw_expiration | ||
| 174 | ········-·medium_severity | ||
| 175 | ········-·restrict_strategy | ||
| 176 | ········-·low_complexity | ||
| 177 | ········-·low_disruption | ||
| 178 | ········-·CCE-27355-7 | ||
| 179 | ········-·NIST-800-53-AC-2(2) | ||
| 180 | ········-·NIST-800-53-AC-2(3) | ||
| 181 | ········-·NIST-800-53-IA-4(e) | ||
| 182 | ········-·NIST-800-171-3.5.6 | ||
| 183 | ········-·PCI-DSS-Req-8.1.4 | ||
| 184 | ········-·CJIS-5.6.2.1.1 | ||
| 185 | ········-·DISA-STIG-RHEL-07-010310 | ||
| 186 | ···· | ||
| 187 | ····-·name:·Set·Password·Hashing·Algorithm·in·/etc/login.defs | 187 | ····-·name:·Set·Password·Hashing·Algorithm·in·/etc/login.defs |
| 188 | ······lineinfile: | 188 | ······lineinfile: |
| 189 | ··········dest:·/etc/login.defs | 189 | ··········dest:·/etc/login.defs |
| 190 | ··········regexp:·^#?ENCRYPT_METHOD | 190 | ··········regexp:·^#?ENCRYPT_METHOD |
| 191 | ··········line:·ENCRYPT_METHOD·SHA512 | 191 | ··········line:·ENCRYPT_METHOD·SHA512 |
| 192 | ··········state:·present | 192 | ··········state:·present |
| 193 | ······tags: | 193 | ······tags: |
| Offset 532, 105 lines modified | Offset 532, 105 lines modified | ||
| 532 | ···· | 532 | ···· |
| 533 | ····-·name:·Find·/etc/passwd·file(s) | 533 | ····-·name:·Find·/etc/passwd·file(s) |
| 534 | ······find: | 534 | ······find: |
| 535 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | 535 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" |
| 536 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | 536 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" |
| 537 | ······register:·files_found | 537 | ······register:·files_found |
| 538 | ······tags: | 538 | ······tags: |
| 539 | ········-·file_owner_etc_passwd | 539 | ········-·file_groupowner_etc_passwd |
| 540 | ········-·medium_severity | 540 | ········-·medium_severity |
| 541 | ········-·configure_strategy | 541 | ········-·configure_strategy |
| 542 | ········-·low_complexity | 542 | ········-·low_complexity |
| 543 | ········-·low_disruption | 543 | ········-·low_disruption |
| 544 | ········-·CCE-2 | 544 | ········-·CCE-26639-5 |
| 545 | ········-·NIST-800-53-AC-6 | 545 | ········-·NIST-800-53-AC-6 |
| 546 | ········-·PCI-DSS-Req-8.7.c | 546 | ········-·PCI-DSS-Req-8.7.c |
| 547 | ········-·CJIS-5.5.2.2 | 547 | ········-·CJIS-5.5.2.2 |
| 548 | ···· | 548 | ···· |
| 549 | ····-·name:·Set· | 549 | ····-·name:·Set·group·ownership·to·root |
| 550 | ······file: | 550 | ······file: |
| 551 | ········path:·"{{·item.path·}}" | 551 | ········path:·"{{·item.path·}}" |
| 552 | ········ | 552 | ········group:·root |
| 553 | ······with_items: | 553 | ······with_items: |
| 554 | ········-·"{{·files_found.files·}}" | 554 | ········-·"{{·files_found.files·}}" |
| 555 | ······tags: | 555 | ······tags: |
| 556 | ········-·file_owner_etc_passwd | 556 | ········-·file_groupowner_etc_passwd |
| 557 | ········-·medium_severity | 557 | ········-·medium_severity |
| 558 | ········-·configure_strategy | 558 | ········-·configure_strategy |
| 559 | ········-·low_complexity | 559 | ········-·low_complexity |
| 560 | ········-·low_disruption | 560 | ········-·low_disruption |
| 561 | ········-·CCE-2 | 561 | ········-·CCE-26639-5 |
| 562 | ········-·NIST-800-53-AC-6 | 562 | ········-·NIST-800-53-AC-6 |
| 563 | ········-·PCI-DSS-Req-8.7.c | 563 | ········-·PCI-DSS-Req-8.7.c |
| 564 | ········-·CJIS-5.5.2.2 | 564 | ········-·CJIS-5.5.2.2 |
| Max diff block lines reached; 30903/34829 bytes (88.73%) of diff not shown. | |||
| Offset 1005, 14 lines modified | Offset 1005, 48 lines modified | ||
| 1005 | ········-·low_disruption | 1005 | ········-·low_disruption |
| 1006 | ········-·CCE-26949-8 | 1006 | ········-·CCE-26949-8 |
| 1007 | ········-·NIST-800-53-AC-6 | 1007 | ········-·NIST-800-53-AC-6 |
| 1008 | ········-·PCI-DSS-Req-8.7.c | 1008 | ········-·PCI-DSS-Req-8.7.c |
| 1009 | ········-·CJIS-5.5.2.2 | 1009 | ········-·CJIS-5.5.2.2 |
| 1010 | ···· | 1010 | ···· |
| 1011 | ···· | 1011 | ···· |
| 1012 | ····-·name:·Find·/etc/passwd·file(s) | ||
| 1013 | ······find: | ||
| 1014 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | ||
| 1015 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | ||
| 1016 | ······register:·files_found | ||
| 1017 | ······tags: | ||
| 1018 | ········-·file_groupowner_etc_passwd | ||
| 1019 | ········-·medium_severity | ||
| 1020 | ········-·configure_strategy | ||
| 1021 | ········-·low_complexity | ||
| 1022 | ········-·low_disruption | ||
| 1023 | ········-·CCE-26639-5 | ||
| 1024 | ········-·NIST-800-53-AC-6 | ||
| 1025 | ········-·PCI-DSS-Req-8.7.c | ||
| 1026 | ········-·CJIS-5.5.2.2 | ||
| 1027 | ···· | ||
| 1028 | ····-·name:·Set·group·ownership·to·root | ||
| 1029 | ······file: | ||
| 1030 | ········path:·"{{·item.path·}}" | ||
| 1031 | ········group:·root | ||
| 1032 | ······with_items: | ||
| 1033 | ········-·"{{·files_found.files·}}" | ||
| 1034 | ······tags: | ||
| 1035 | ········-·file_groupowner_etc_passwd | ||
| 1036 | ········-·medium_severity | ||
| 1037 | ········-·configure_strategy | ||
| 1038 | ········-·low_complexity | ||
| 1039 | ········-·low_disruption | ||
| 1040 | ········-·CCE-26639-5 | ||
| 1041 | ········-·NIST-800-53-AC-6 | ||
| 1042 | ········-·PCI-DSS-Req-8.7.c | ||
| 1043 | ········-·CJIS-5.5.2.2 | ||
| 1044 | ···· | ||
| 1045 | ···· | ||
| 1012 | ····-·name:·Find·/etc/gshadow·file(s) | 1046 | ····-·name:·Find·/etc/gshadow·file(s) |
| 1013 | ······find: | 1047 | ······find: |
| 1014 | ········paths:·"{{·'/etc/gshadow'·|·dirname·}}" | 1048 | ········paths:·"{{·'/etc/gshadow'·|·dirname·}}" |
| 1015 | ········patterns:·"{{·'/etc/gshadow'·|·basename·}}" | 1049 | ········patterns:·"{{·'/etc/gshadow'·|·basename·}}" |
| 1016 | ······register:·files_found | 1050 | ······register:·files_found |
| 1017 | ······tags: | 1051 | ······tags: |
| 1018 | ········-·file_groupowner_etc_gshadow | 1052 | ········-·file_groupowner_etc_gshadow |
| Offset 1168, 48 lines modified | Offset 1202, 14 lines modified | ||
| 1168 | ···· | 1202 | ···· |
| 1169 | ···· | 1203 | ···· |
| 1170 | ····-·name:·Find·/etc/passwd·file(s) | 1204 | ····-·name:·Find·/etc/passwd·file(s) |
| 1171 | ······find: | 1205 | ······find: |
| 1172 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | 1206 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" |
| 1173 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | 1207 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" |
| 1174 | ······register:·files_found | 1208 | ······register:·files_found |
| 1175 | ······tags: | ||
| 1176 | ········-·file_groupowner_etc_passwd | ||
| 1177 | ········-·medium_severity | ||
| 1178 | ········-·configure_strategy | ||
| 1179 | ········-·low_complexity | ||
| 1180 | ········-·low_disruption | ||
| 1181 | ········-·CCE-26639-5 | ||
| 1182 | ········-·NIST-800-53-AC-6 | ||
| 1183 | ········-·PCI-DSS-Req-8.7.c | ||
| 1184 | ········-·CJIS-5.5.2.2 | ||
| 1185 | ···· | ||
| 1186 | ····-·name:·Set·group·ownership·to·root | ||
| 1187 | ······file: | ||
| 1188 | ········path:·"{{·item.path·}}" | ||
| 1189 | ········group:·root | ||
| 1190 | ······with_items: | ||
| 1191 | ········-·"{{·files_found.files·}}" | ||
| 1192 | ······tags: | ||
| 1193 | ········-·file_groupowner_etc_passwd | ||
| 1194 | ········-·medium_severity | ||
| 1195 | ········-·configure_strategy | ||
| 1196 | ········-·low_complexity | ||
| 1197 | ········-·low_disruption | ||
| 1198 | ········-·CCE-26639-5 | ||
| 1199 | ········-·NIST-800-53-AC-6 | ||
| 1200 | ········-·PCI-DSS-Req-8.7.c | ||
| 1201 | ········-·CJIS-5.5.2.2 | ||
| 1202 | ···· | ||
| 1203 | ···· | ||
| 1204 | ····-·name:·Find·/etc/passwd·file(s) | ||
| 1205 | ······find: | ||
| 1206 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | ||
| 1207 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | ||
| 1208 | ······register:·files_found | ||
| 1209 | ······tags: | 1209 | ······tags: |
| 1210 | ········-·file_permissions_etc_passwd | 1210 | ········-·file_permissions_etc_passwd |
| 1211 | ········-·medium_severity | 1211 | ········-·medium_severity |
| 1212 | ········-·configure_strategy | 1212 | ········-·configure_strategy |
| 1213 | ········-·low_complexity | 1213 | ········-·low_complexity |
| 1214 | ········-·low_disruption | 1214 | ········-·low_disruption |
| 1215 | ········-·CCE-26887-0 | 1215 | ········-·CCE-26887-0 |
| Offset 265, 37 lines modified | Offset 265, 14 lines modified | ||
| 265 | ········-·unknown_severity | 265 | ········-·unknown_severity |
| 266 | ········-·restrict_strategy | 266 | ········-·restrict_strategy |
| 267 | ········-·low_complexity | 267 | ········-·low_complexity |
| 268 | ········-·medium_disruption | 268 | ········-·medium_disruption |
| 269 | ········-·CCE-80200-9 | 269 | ········-·CCE-80200-9 |
| 270 | ········-·NIST-800-53-CM-6(b) | 270 | ········-·NIST-800-53-CM-6(b) |
| 271 | ···· | 271 | ···· |
| 272 | ····-·name:·Disable·service·autofs | ||
| 273 | ······service: | ||
| 274 | ········name="{{item}}" | ||
| 275 | ········enabled="no" | ||
| 276 | ········state="stopped" | ||
| 277 | ······register:·service_result | ||
| 278 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 279 | ······with_items: | ||
| 280 | ········-·autofs | ||
| 281 | ······tags: | ||
| 282 | ········-·service_autofs_disabled | ||
| 283 | ········-·medium_severity | ||
| 284 | ········-·disable_strategy | ||
| 285 | ········-·low_complexity | ||
| 286 | ········-·low_disruption | ||
| 287 | ········-·CCE-27498-5 | ||
| 288 | ········-·NIST-800-53-AC-19(a) | ||
| 289 | ········-·NIST-800-53-AC-19(d) | ||
| 290 | ········-·NIST-800-53-AC-19(e) | ||
| 291 | ········-·NIST-800-53-IA-3 | ||
| 292 | ········-·NIST-800-171-3.4.6 | ||
| 293 | ········-·DISA-STIG-RHEL-07-020110 | ||
| 294 | ···· | ||
| 295 | ····-·name:·get·back·device·associated·to·mountpoint | 272 | ····-·name:·get·back·device·associated·to·mountpoint |
| 296 | ······shell:·mount·|·grep·'·/dev/shm·'·|cut·-d·'·'·-f·1 | 273 | ······shell:·mount·|·grep·'·/dev/shm·'·|cut·-d·'·'·-f·1 |
| 297 | ······register:·device_name | 274 | ······register:·device_name |
| 298 | ······check_mode:·no | 275 | ······check_mode:·no |
| 299 | ······tags: | 276 | ······tags: |
| 300 | ········-·mount_option_dev_shm_nosuid | 277 | ········-·mount_option_dev_shm_nosuid |
| 301 | ········-·unknown_severity | 278 | ········-·unknown_severity |
| Offset 406, 14 lines modified | Offset 383, 37 lines modified | ||
| 406 | ········-·configure_strategy | 383 | ········-·configure_strategy |
| 407 | ········-·low_complexity | 384 | ········-·low_complexity |
| 408 | ········-·high_disruption | 385 | ········-·high_disruption |
| 409 | ········-·CCE-80152-2 | 386 | ········-·CCE-80152-2 |
| 410 | ········-·NIST-800-53-CM-7 | 387 | ········-·NIST-800-53-CM-7 |
| 411 | ········-·NIST-800-53-MP-2 | 388 | ········-·NIST-800-53-MP-2 |
| 412 | ···· | 389 | ···· |
| 390 | ····-·name:·Disable·service·autofs | ||
| 391 | ······service: | ||
| 392 | ········name="{{item}}" | ||
| 393 | ········enabled="no" | ||
| 394 | ········state="stopped" | ||
| 395 | ······register:·service_result | ||
| 396 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 397 | ······with_items: | ||
| 398 | ········-·autofs | ||
| 399 | ······tags: | ||
| 400 | ········-·service_autofs_disabled | ||
| 401 | ········-·medium_severity | ||
| 402 | ········-·disable_strategy | ||
| 403 | ········-·low_complexity | ||
| 404 | ········-·low_disruption | ||
| 405 | ········-·CCE-27498-5 | ||
| 406 | ········-·NIST-800-53-AC-19(a) | ||
| 407 | ········-·NIST-800-53-AC-19(d) | ||
| 408 | ········-·NIST-800-53-AC-19(e) | ||
| 409 | ········-·NIST-800-53-IA-3 | ||
| 410 | ········-·NIST-800-171-3.4.6 | ||
| 411 | ········-·DISA-STIG-RHEL-07-020110 | ||
| 412 | ···· | ||
| 413 | ···· | 413 | ···· |
| 414 | ····# | 414 | ····# |
| 415 | ····#·What·architecture·are·we·on? | 415 | ····#·What·architecture·are·we·on? |
| 416 | ····# | 416 | ····# |
| 417 | ····-·name:·Set·architecture·for·audit·fchown·tasks | 417 | ····-·name:·Set·architecture·for·audit·fchown·tasks |
| 418 | ······set_fact: | 418 | ······set_fact: |
| 419 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" | 419 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" |
| Offset 970, 154 lines modified | Offset 970, 14 lines modified | ||
| 970 | ········-·CJIS-5.4.1.1 | 970 | ········-·CJIS-5.4.1.1 |
| 971 | ········-·DISA-STIG-RHEL-07-030460 | 971 | ········-·DISA-STIG-RHEL-07-030460 |
| 972 | ···· | 972 | ···· |
| 973 | ···· | 973 | ···· |
| 974 | ····# | 974 | ····# |
| 975 | ····#·What·architecture·are·we·on? | 975 | ····#·What·architecture·are·we·on? |
| 976 | ····# | 976 | ····# |
| 977 | ····-·name:·Set·architecture·for·audit·chmod·tasks | ||
| 978 | ······set_fact: | ||
| 979 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" | ||
| 980 | ···· | ||
| 981 | ····# | ||
| 982 | ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d | ||
| 983 | ····# | ||
| 984 | ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules | ||
| 985 | ······find: | ||
| 986 | ········paths:·"/etc/audit/rules.d" | ||
| 987 | ········recurse:·no | ||
| 988 | ········contains:·"-F·key=perm_mod$" | ||
| 989 | ········patterns:·"*.rules" | ||
| 990 | ······register:·find_chmod | ||
| 991 | ···· | ||
| 992 | ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule | ||
| 993 | ······set_fact: | ||
| 994 | ········all_files:· | ||
| 995 | ··········-·/etc/audit/rules.d/privileged.rules | ||
| 996 | ······when:·find_chmod.matched·==·0 | ||
| 997 | ···· | ||
| 998 | ····-·name:·Use·matched·file·as·the·recipient·for·the·rule | ||
| 999 | ······set_fact: | ||
| 1000 | ········all_files: | ||
| 1001 | ··········-·"{{·find_chmod.files·|·map(attribute='path')·|·list·|·first·}}" | ||
| 1002 | ······when:·find_chmod.matched·>·0 | ||
| 1003 | ···· | ||
| 1004 | ····-·name:·Inserts/replaces·the·chmod·rule·in·rules.d·when·on·x86 | ||
| 1005 | ······lineinfile: | ||
| 1006 | ········path:·"{{·all_files[0]·}}" | ||
| 1007 | ········line:·"-a·always,exit·-F·arch=b32·-S·chmod·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" | ||
| 1008 | ········create:·yes | ||
| 1009 | ······tags: | ||
| 1010 | ········-·audit_rules_dac_modification_chmod | ||
| 1011 | ········-·unknown_severity | ||
| 1012 | ········-·restrict_strategy | ||
| 1013 | ········-·low_complexity | ||
| 1014 | ········-·low_disruption | ||
| 1015 | ········-·CCE-27339-1 | ||
| 1016 | ········-·NIST-800-53-AC-17(7) | ||
| 1017 | ········-·NIST-800-53-AU-1(b) | ||
| 1018 | ········-·NIST-800-53-AU-2(a) | ||
| 1019 | ········-·NIST-800-53-AU-2(c) | ||
| 1020 | ········-·NIST-800-53-AU-2(d) | ||
| Max diff block lines reached; 17435/24355 bytes (71.59%) of diff not shown. | |||
| Offset 43, 18 lines modified | Offset 43, 18 lines modified | ||
| 43 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 43 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 44 | ·········· | 44 | ·········· |
| 45 | ···vars: | 45 | ···vars: |
| 46 | ······sshd_idle_timeout_value:·600 | 46 | ······sshd_idle_timeout_value:·600 |
| 47 | ······rsyslog_remote_loghost_address:·logcollector | 47 | ······rsyslog_remote_loghost_address:·logcollector |
| 48 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 48 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 50 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 53 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 | 51 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 54 | ······var_selinux_policy_name:·targeted | 54 | ······var_selinux_policy_name:·targeted |
| 55 | ······var_selinux_state:·enforcing | 55 | ······var_selinux_state:·enforcing |
| 56 | ······var_accounts_minimum_age_login_defs:·1 | 56 | ······var_accounts_minimum_age_login_defs:·1 |
| 57 | ······var_accounts_maximum_age_login_defs:·60 | 57 | ······var_accounts_maximum_age_login_defs:·60 |
| 58 | ······var_account_disable_post_pw_expiration:·0 | 58 | ······var_account_disable_post_pw_expiration:·0 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·never | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·never |
| Offset 71, 17 lines modified | Offset 71, 17 lines modified | ||
| 71 | ······var_password_pam_difok:·8 | 71 | ······var_password_pam_difok:·8 |
| 72 | ······var_password_pam_ocredit:·-1 | 72 | ······var_password_pam_ocredit:·-1 |
| 73 | ······var_password_pam_lcredit:·-1 | 73 | ······var_password_pam_lcredit:·-1 |
| 74 | ······var_password_pam_ucredit:·-1 | 74 | ······var_password_pam_ucredit:·-1 |
| 75 | ······var_password_pam_retry:·3 | 75 | ······var_password_pam_retry:·3 |
| 76 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) | 76 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) |
| 77 | ······var_accounts_user_umask:·077 | 77 | ······var_accounts_user_umask:·077 |
| 78 | ······var_accounts_tmout:·600 | ||
| 79 | ······var_accounts_fail_delay:·4 | 78 | ······var_accounts_fail_delay:·4 |
| 80 | ······var_accounts_max_concurrent_login_sessions:·10 | 79 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 80 | ······var_accounts_tmout:·600 | ||
| 81 | ······var_removable_partition:·/dev/cdrom | 81 | ······var_removable_partition:·/dev/cdrom |
| 82 | ······var_auditd_action_mail_acct:·root | 82 | ······var_auditd_action_mail_acct:·root |
| 83 | ······var_auditd_space_left_action:·email | 83 | ······var_auditd_space_left_action:·email |
| 84 | ······inactivity_timeout_value:·900 | 84 | ······inactivity_timeout_value:·900 |
| 85 | ···tasks: | 85 | ···tasks: |
| 86 | ····-·name:·Ensure·rsh-server·is·removed | 86 | ····-·name:·Ensure·rsh-server·is·removed |
| 87 | ······package: | 87 | ······package: |
| Offset 790, 33 lines modified | Offset 790, 14 lines modified | ||
| 790 | ········-·low_disruption | 790 | ········-·low_disruption |
| 791 | ········-·CCE-27343-3 | 791 | ········-·CCE-27343-3 |
| 792 | ········-·NIST-800-53-AU-3(2) | 792 | ········-·NIST-800-53-AU-3(2) |
| 793 | ········-·NIST-800-53-AU-4(1) | 793 | ········-·NIST-800-53-AU-4(1) |
| 794 | ········-·NIST-800-53-AU-9 | 794 | ········-·NIST-800-53-AU-9 |
| 795 | ········-·DISA-STIG-RHEL-07-031000 | 795 | ········-·DISA-STIG-RHEL-07-031000 |
| 796 | ···· | 796 | ···· |
| 797 | ···· | ||
| 798 | ···· | ||
| 799 | ····-·name:·Ensure·sysctl·net.ipv6.conf.all.accept_source_route·is·set | ||
| 800 | ······sysctl: | ||
| 801 | ········name:·net.ipv6.conf.all.accept_source_route | ||
| 802 | ········value:·"{{·sysctl_net_ipv6_conf_all_accept_source_route_value·}}" | ||
| 803 | ········state:·present | ||
| 804 | ········reload:·yes | ||
| 805 | ······tags: | ||
| 806 | ········-·sysctl_net_ipv6_conf_all_accept_source_route | ||
| 807 | ········-·medium_severity | ||
| 808 | ········-·disable_strategy | ||
| 809 | ········-·low_complexity | ||
| 810 | ········-·medium_disruption | ||
| 811 | ········-·CCE-80179-5 | ||
| 812 | ········-·NIST-800-53-AC-4 | ||
| 813 | ········-·NIST-800-171-3.1.20 | ||
| 814 | ········-·DISA-STIG-RHEL-07-040830 | ||
| 815 | ···· | ||
| 816 | ····-·name:·Enable·service·firewalld | 797 | ····-·name:·Enable·service·firewalld |
| 817 | ······service: | 798 | ······service: |
| 818 | ········name="{{item}}" | 799 | ········name="{{item}}" |
| 819 | ········enabled="yes" | 800 | ········enabled="yes" |
| 820 | ········state="started" | 801 | ········state="started" |
| 821 | ······with_items: | 802 | ······with_items: |
| 822 | ········-·firewalld | 803 | ········-·firewalld |
| Offset 830, 14 lines modified | Offset 811, 33 lines modified | ||
| 830 | ········-·NIST-800-53-CM-6(b) | 811 | ········-·NIST-800-53-CM-6(b) |
| 831 | ········-·NIST-800-171-3.1.3 | 812 | ········-·NIST-800-171-3.1.3 |
| 832 | ········-·NIST-800-171-3.4.7 | 813 | ········-·NIST-800-171-3.4.7 |
| 833 | ········-·DISA-STIG-RHEL-07-040520 | 814 | ········-·DISA-STIG-RHEL-07-040520 |
| 834 | ···· | 815 | ···· |
| 835 | ···· | 816 | ···· |
| 836 | ···· | 817 | ···· |
| 818 | ····-·name:·Ensure·sysctl·net.ipv6.conf.all.accept_source_route·is·set | ||
| 819 | ······sysctl: | ||
| 820 | ········name:·net.ipv6.conf.all.accept_source_route | ||
| 821 | ········value:·"{{·sysctl_net_ipv6_conf_all_accept_source_route_value·}}" | ||
| 822 | ········state:·present | ||
| 823 | ········reload:·yes | ||
| 824 | ······tags: | ||
| 825 | ········-·sysctl_net_ipv6_conf_all_accept_source_route | ||
| 826 | ········-·medium_severity | ||
| 827 | ········-·disable_strategy | ||
| 828 | ········-·low_complexity | ||
| 829 | ········-·medium_disruption | ||
| 830 | ········-·CCE-80179-5 | ||
| 831 | ········-·NIST-800-53-AC-4 | ||
| 832 | ········-·NIST-800-171-3.1.20 | ||
| 833 | ········-·DISA-STIG-RHEL-07-040830 | ||
| 834 | ···· | ||
| 835 | ···· | ||
| 836 | ···· | ||
| 837 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_source_route·is·set | 837 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_source_route·is·set |
| 838 | ······sysctl: | 838 | ······sysctl: |
| 839 | ········name:·net.ipv4.conf.default.accept_source_route | 839 | ········name:·net.ipv4.conf.default.accept_source_route |
| 840 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_source_route_value·}}" | 840 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_source_route_value·}}" |
| 841 | ········state:·present | 841 | ········state:·present |
| 842 | ········reload:·yes | 842 | ········reload:·yes |
| 843 | ······tags: | 843 | ······tags: |
| Offset 853, 56 lines modified | Offset 853, 55 lines modified | ||
| 853 | ········-·NIST-800-53-SC-7 | 853 | ········-·NIST-800-53-SC-7 |
| 854 | ········-·NIST-800-171-3.1.20 | 854 | ········-·NIST-800-171-3.1.20 |
| 855 | ········-·CJIS-5.10.1.1 | 855 | ········-·CJIS-5.10.1.1 |
| 856 | ········-·DISA-STIG-RHEL-07-040620 | 856 | ········-·DISA-STIG-RHEL-07-040620 |
| 857 | ···· | 857 | ···· |
| 858 | ···· | 858 | ···· |
| 859 | ···· | 859 | ···· |
| 860 | ····-·name:·Ensure·sysctl·net.ipv4. | 860 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_redirects·is·set |
| 861 | ······sysctl: | 861 | ······sysctl: |
| 862 | ········name:·net.ipv4. | 862 | ········name:·net.ipv4.conf.default.accept_redirects |
| 863 | ········value:·"{{·sysctl_net_ipv4_ | 863 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_redirects_value·}}" |
| 864 | ········state:·present | 864 | ········state:·present |
| 865 | ········reload:·yes | 865 | ········reload:·yes |
| 866 | ······tags: | 866 | ······tags: |
| 867 | ········-·sysctl_net_ipv4_ | 867 | ········-·sysctl_net_ipv4_conf_default_accept_redirects |
| 868 | ········-·medium_severity | 868 | ········-·medium_severity |
| 869 | ········-·disable_strategy | 869 | ········-·disable_strategy |
| 870 | ········-·low_complexity | 870 | ········-·low_complexity |
| 871 | ········-·medium_disruption | 871 | ········-·medium_disruption |
| Max diff block lines reached; 74412/81586 bytes (91.21%) of diff not shown. | |||
| Offset 39, 44 lines modified | Offset 39, 44 lines modified | ||
| 39 | ·······assert: | 39 | ·······assert: |
| 40 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 40 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 41 | ·········msg:·> | 41 | ·········msg:·> |
| 42 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 42 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 43 | ·········· | 43 | ·········· |
| 44 | ···vars: | 44 | ···vars: |
| 45 | ······sshd_idle_timeout_value:·300 | 45 | ······sshd_idle_timeout_value:·300 |
| 46 | ······var_auditd_max_log_file:·1 | ||
| 47 | ······var_auditd_action_mail_acct:·admin | ||
| 48 | ······var_auditd_space_left_action:·suspend | ||
| 49 | ······var_auditd_admin_space_left_action:·suspend | ||
| 50 | ······var_auditd_max_log_file_action:·ignore | ||
| 46 | ······rsyslog_remote_loghost_address:·None | 51 | ······rsyslog_remote_loghost_address:·None |
| 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 52 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 53 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 54 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_ | 55 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 57 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 58 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_ | 59 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 56 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 60 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 61 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 58 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 62 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 59 | ······sysctl_net_ipv4_ | 63 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 60 | ······sysctl_net_ipv4_c | 64 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 65 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 61 | ······var_selinux_policy_name:·targeted | 66 | ······var_selinux_policy_name:·targeted |
| 62 | ······var_selinux_state:·enforcing | 67 | ······var_selinux_state:·enforcing |
| 63 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 64 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 65 | ······var_accounts_minimum_age_login_defs:·1 | 68 | ······var_accounts_minimum_age_login_defs:·1 |
| 69 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 70 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 66 | ······var_account_disable_post_pw_expiration:·35 | 71 | ······var_account_disable_post_pw_expiration:·35 |
| 67 | ······var_password_pam_unix_remember:·0 | 72 | ······var_password_pam_unix_remember:·0 |
| 68 | ······var_accounts_passwords_pam_faillock_deny:·3 | 73 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 69 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 74 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 70 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 75 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 71 | ······var_auditd_action_mail_acct:·admin | ||
| 72 | ······var_auditd_max_log_file:·1 | ||
| 73 | ······var_auditd_space_left_action:·suspend | ||
| 74 | ······var_auditd_admin_space_left_action:·suspend | ||
| 75 | ······var_auditd_max_log_file_action:·ignore | ||
| 76 | ······var_removable_partition:·/dev/cdrom | 76 | ······var_removable_partition:·/dev/cdrom |
| 77 | ······var_removable_partition:·/dev/cdrom | 77 | ······var_removable_partition:·/dev/cdrom |
| 78 | ······var_removable_partition:·/dev/cdrom | 78 | ······var_removable_partition:·/dev/cdrom |
| 79 | ···tasks: | 79 | ···tasks: |
| 80 | ····-·name:·Ensure·vsftpd·is·removed | 80 | ····-·name:·Ensure·vsftpd·is·removed |
| 81 | ······package: | 81 | ······package: |
| 82 | ········name="{{item}}" | 82 | ········name="{{item}}" |
| Offset 103, 29 lines modified | Offset 103, 14 lines modified | ||
| 103 | ········-·unknown_severity | 103 | ········-·unknown_severity |
| 104 | ········-·disable_strategy | 104 | ········-·disable_strategy |
| 105 | ········-·low_complexity | 105 | ········-·low_complexity |
| 106 | ········-·low_disruption | 106 | ········-·low_disruption |
| 107 | ········-·CCE-27133-8 | 107 | ········-·CCE-27133-8 |
| 108 | ········-·NIST-800-53-CM-7 | 108 | ········-·NIST-800-53-CM-7 |
| 109 | ···· | 109 | ···· |
| 110 | ····-·name:·Ensure·dhcp·is·removed | ||
| 111 | ······package: | ||
| 112 | ········name="{{item}}" | ||
| 113 | ········state=absent | ||
| 114 | ······with_items: | ||
| 115 | ········-·dhcp | ||
| 116 | ······tags: | ||
| 117 | ········-·package_dhcp_removed | ||
| 118 | ········-·medium_severity | ||
| 119 | ········-·disable_strategy | ||
| 120 | ········-·low_complexity | ||
| 121 | ········-·low_disruption | ||
| 122 | ········-·CCE-27120-5 | ||
| 123 | ········-·NIST-800-53-CM-7 | ||
| 124 | ···· | ||
| 125 | ····-·name:·Enable·service·ntpd | 110 | ····-·name:·Enable·service·ntpd |
| 126 | ······service: | 111 | ······service: |
| 127 | ········name="{{item}}" | 112 | ········name="{{item}}" |
| 128 | ········enabled="yes" | 113 | ········enabled="yes" |
| 129 | ········state="started" | 114 | ········state="started" |
| 130 | ······with_items: | 115 | ······with_items: |
| 131 | ········-·ntpd | 116 | ········-·ntpd |
| Offset 168, 65 lines modified | Offset 153, 14 lines modified | ||
| 168 | ········-·package_net-snmp_removed | 153 | ········-·package_net-snmp_removed |
| 169 | ········-·unknown_severity | 154 | ········-·unknown_severity |
| 170 | ········-·disable_strategy | 155 | ········-·disable_strategy |
| 171 | ········-·low_complexity | 156 | ········-·low_complexity |
| 172 | ········-·low_disruption | 157 | ········-·low_disruption |
| 173 | ········-·CCE-26332-7 | 158 | ········-·CCE-26332-7 |
| 174 | ···· | 159 | ···· |
| 175 | ····-·name:·Enable·service·crond | ||
| 176 | ······service: | ||
| 177 | ········name="{{item}}" | ||
| 178 | ········enabled="yes" | ||
| 179 | ········state="started" | ||
| 180 | ······with_items: | ||
| 181 | ········-·crond | ||
| 182 | ······tags: | ||
| 183 | ········-·service_crond_enabled | ||
| 184 | ········-·medium_severity | ||
| 185 | ········-·enable_strategy | ||
| 186 | ········-·low_complexity | ||
| 187 | ········-·low_disruption | ||
| 188 | ········-·CCE-27070-2 | ||
| 189 | ········-·NIST-800-53-CM-7 | ||
| 190 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 191 | ···· | ||
| 192 | ····-·name:·Disable·service·atd | ||
| 193 | ······service: | ||
| 194 | ········name="{{item}}" | ||
| 195 | ········enabled="no" | ||
| 196 | ········state="stopped" | ||
| 197 | ······register:·service_result | ||
| 198 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 199 | ······with_items: | ||
| 200 | ········-·atd | ||
| 201 | ······tags: | ||
| 202 | ········-·service_atd_disabled | ||
| 203 | ········-·unknown_severity | ||
| 204 | ········-·disable_strategy | ||
| 205 | ········-·low_complexity | ||
| 206 | ········-·low_disruption | ||
| 207 | ········-·CCE-27249-2 | ||
| 208 | ········-·NIST-800-53-CM-7 | ||
| 209 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 210 | ···· | ||
| 211 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| Max diff block lines reached; 80006/84947 bytes (94.18%) of diff not shown. | |||
| Offset 33, 31 lines modified | Offset 33, 31 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······rsyslog_remote_loghost_address:·None | 36 | ······rsyslog_remote_loghost_address:·None |
| 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 40 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_ | 44 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_ | 48 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 50 | ······sysctl_net_ipv4_c | 49 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 51 | ······var_selinux_policy_name:·targeted | 51 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 52 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·14 | 53 | ······var_accounts_password_minlen_login_defs:·14 |
| 54 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·1 | 54 | ······var_accounts_minimum_age_login_defs:·1 |
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_account_disable_post_pw_expiration:·35 | 57 | ······var_account_disable_post_pw_expiration:·35 |
| 58 | ······var_password_pam_unix_remember:·10 | 58 | ······var_password_pam_unix_remember:·10 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| Offset 207, 65 lines modified | Offset 207, 14 lines modified | ||
| 207 | ········-·service_snmpd_disabled | 207 | ········-·service_snmpd_disabled |
| 208 | ········-·unknown_severity | 208 | ········-·unknown_severity |
| 209 | ········-·disable_strategy | 209 | ········-·disable_strategy |
| 210 | ········-·low_complexity | 210 | ········-·low_complexity |
| 211 | ········-·low_disruption | 211 | ········-·low_disruption |
| 212 | ········-·CCE-26906-8 | 212 | ········-·CCE-26906-8 |
| 213 | ···· | 213 | ···· |
| 214 | ····-·name:·Enable·service·crond | ||
| 215 | ······service: | ||
| 216 | ········name="{{item}}" | ||
| 217 | ········enabled="yes" | ||
| 218 | ········state="started" | ||
| 219 | ······with_items: | ||
| 220 | ········-·crond | ||
| 221 | ······tags: | ||
| 222 | ········-·service_crond_enabled | ||
| 223 | ········-·medium_severity | ||
| 224 | ········-·enable_strategy | ||
| 225 | ········-·low_complexity | ||
| 226 | ········-·low_disruption | ||
| 227 | ········-·CCE-27070-2 | ||
| 228 | ········-·NIST-800-53-CM-7 | ||
| 229 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 230 | ···· | ||
| 231 | ····-·name:·Disable·service·atd | ||
| 232 | ······service: | ||
| 233 | ········name="{{item}}" | ||
| 234 | ········enabled="no" | ||
| 235 | ········state="stopped" | ||
| 236 | ······register:·service_result | ||
| 237 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 238 | ······with_items: | ||
| 239 | ········-·atd | ||
| 240 | ······tags: | ||
| 241 | ········-·service_atd_disabled | ||
| 242 | ········-·unknown_severity | ||
| 243 | ········-·disable_strategy | ||
| 244 | ········-·low_complexity | ||
| 245 | ········-·low_disruption | ||
| 246 | ········-·CCE-27249-2 | ||
| 247 | ········-·NIST-800-53-CM-7 | ||
| 248 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 249 | ···· | ||
| 250 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 251 | ······package: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········state=absent | ||
| 254 | ······with_items: | ||
| 255 | ········-·xorg-x11-server-common | ||
| 256 | ······tags: | ||
| 257 | ········-·package_xorg-x11-server-common_removed | ||
| 258 | ········-·unknown_severity | ||
| 259 | ········-·disable_strategy | ||
| 260 | ········-·low_complexity | ||
| 261 | ········-·low_disruption | ||
| 262 | ········-·CCE-27198-1 | ||
| 263 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 264 | ···· | ||
| 265 | ····-·name:·Ensure·rsh-server·is·removed | 214 | ····-·name:·Ensure·rsh-server·is·removed |
| 266 | ······package: | 215 | ······package: |
| 267 | ········name="{{item}}" | 216 | ········name="{{item}}" |
| 268 | ········state=absent | 217 | ········state=absent |
| 269 | ······with_items: | 218 | ······with_items: |
| 270 | ········-·rsh-server | 219 | ········-·rsh-server |
| 271 | ······tags: | 220 | ······tags: |
| Offset 420, 132 lines modified | Offset 369, 81 lines modified | ||
| 420 | ········-·disable_strategy | 369 | ········-·disable_strategy |
| 421 | ········-·low_complexity | 370 | ········-·low_complexity |
| 422 | ········-·low_disruption | 371 | ········-·low_disruption |
| 423 | ········-·CCE-27005-8 | 372 | ········-·CCE-27005-8 |
| 424 | ········-·NIST-800-53-CM-7 | 373 | ········-·NIST-800-53-CM-7 |
| 425 | ········-·DISA-STIG-RHEL-06-000204 | 374 | ········-·DISA-STIG-RHEL-06-000204 |
| 426 | ···· | 375 | ···· |
| 427 | ····-·name:· | 376 | ····-·name:·Ensure·xorg-x11-server-common·is·removed |
| 428 | ······ | 377 | ······package: |
| 429 | ········name="{{item}}" | ||
| 430 | ········enabled="no" | ||
| 431 | ········state="stopped" | ||
| 432 | ······register:·service_result | ||
| 433 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 434 | ······with_items: | ||
| 435 | ········-·rpcgssd | ||
| 436 | ······tags: | ||
| 437 | ········-·service_rpcgssd_disabled | ||
| 438 | ········-·unknown_severity | ||
| 439 | ········-·disable_strategy | ||
| 440 | ········-·low_complexity | ||
| 441 | ········-·low_disruption | ||
| 442 | ········-·CCE-26864-9 | ||
| 443 | ···· | ||
| 444 | ····-·name:·Disable·service·rpcidmapd | ||
| 445 | ······service: | ||
| Max diff block lines reached; 142861/148402 bytes (96.27%) of diff not shown. | |||
| Offset 34, 39 lines modified | Offset 34, 39 lines modified | ||
| 34 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. | 34 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. |
| 35 | ·······assert: | 35 | ·······assert: |
| 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 37 | ·········msg:·> | 37 | ·········msg:·> |
| 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 39 | ·········· | 39 | ·········· |
| 40 | ···vars: | 40 | ···vars: |
| 41 | ······var_auditd_max_log_file:·1 | ||
| 42 | ······var_auditd_action_mail_acct:·admin | ||
| 43 | ······var_auditd_space_left_action:·suspend | ||
| 44 | ······var_auditd_admin_space_left_action:·suspend | ||
| 45 | ······var_auditd_max_log_file_action:·keep_logs | ||
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 47 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 52 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 53 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 54 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_ | 55 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 52 | ······sysctl_net_ipv4_c | 56 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 57 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 53 | ······var_selinux_policy_name:·mls | 58 | ······var_selinux_policy_name:·mls |
| 54 | ······var_selinux_state:·enforcing | 59 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·12 | 60 | ······var_accounts_password_minlen_login_defs:·12 |
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_accounts_maximum_age_login_defs:·180 | 61 | ······var_accounts_maximum_age_login_defs:·180 |
| 62 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 58 | ······var_account_disable_post_pw_expiration:·35 | 63 | ······var_account_disable_post_pw_expiration:·35 |
| 59 | ······var_password_pam_unix_remember:·0 | 64 | ······var_password_pam_unix_remember:·0 |
| 60 | ······var_password_pam_retry:·3 | 65 | ······var_password_pam_retry:·3 |
| 61 | ······var_auditd_action_mail_acct:·admin | ||
| 62 | ······var_auditd_max_log_file:·1 | ||
| 63 | ······var_auditd_space_left_action:·suspend | ||
| 64 | ······var_auditd_admin_space_left_action:·suspend | ||
| 65 | ······var_auditd_max_log_file_action:·keep_logs | ||
| 66 | ···tasks: | 66 | ···tasks: |
| 67 | ····-·name:·Disable·service·vsftpd | 67 | ····-·name:·Disable·service·vsftpd |
| 68 | ······service: | 68 | ······service: |
| 69 | ········name="{{item}}" | 69 | ········name="{{item}}" |
| 70 | ········enabled="no" | 70 | ········enabled="no" |
| 71 | ········state="stopped" | 71 | ········state="stopped" |
| 72 | ······register:·service_result | 72 | ······register:·service_result |
| Offset 123, 47 lines modified | Offset 123, 14 lines modified | ||
| 123 | ········-·unknown_severity | 123 | ········-·unknown_severity |
| 124 | ········-·configure_strategy | 124 | ········-·configure_strategy |
| 125 | ········-·low_complexity | 125 | ········-·low_complexity |
| 126 | ········-·low_disruption | 126 | ········-·low_disruption |
| 127 | ········-·CCE-27316-9 | 127 | ········-·CCE-27316-9 |
| 128 | ········-·NIST-800-53-CM-7 | 128 | ········-·NIST-800-53-CM-7 |
| 129 | ···· | 129 | ···· |
| 130 | ····-·name:·Ensure·dhcp·is·removed | ||
| 131 | ······package: | ||
| 132 | ········name="{{item}}" | ||
| 133 | ········state=absent | ||
| 134 | ······with_items: | ||
| 135 | ········-·dhcp | ||
| 136 | ······tags: | ||
| 137 | ········-·package_dhcp_removed | ||
| 138 | ········-·medium_severity | ||
| 139 | ········-·disable_strategy | ||
| 140 | ········-·low_complexity | ||
| 141 | ········-·low_disruption | ||
| 142 | ········-·CCE-27120-5 | ||
| 143 | ········-·NIST-800-53-CM-7 | ||
| 144 | ···· | ||
| 145 | ····-·name:·Disable·service·dhcpd | ||
| 146 | ······service: | ||
| 147 | ········name="{{item}}" | ||
| 148 | ········enabled="no" | ||
| 149 | ········state="stopped" | ||
| 150 | ······register:·service_result | ||
| 151 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 152 | ······with_items: | ||
| 153 | ········-·dhcpd | ||
| 154 | ······tags: | ||
| 155 | ········-·service_dhcpd_disabled | ||
| 156 | ········-·medium_severity | ||
| 157 | ········-·disable_strategy | ||
| 158 | ········-·low_complexity | ||
| 159 | ········-·low_disruption | ||
| 160 | ········-·CCE-27074-4 | ||
| 161 | ········-·NIST-800-53-CM-7 | ||
| 162 | ···· | ||
| 163 | ····-·name:·Enable·service·ntpd | 130 | ····-·name:·Enable·service·ntpd |
| 164 | ······service: | 131 | ······service: |
| 165 | ········name="{{item}}" | 132 | ········name="{{item}}" |
| 166 | ········enabled="yes" | 133 | ········enabled="yes" |
| 167 | ········state="started" | 134 | ········state="started" |
| 168 | ······with_items: | 135 | ······with_items: |
| 169 | ········-·ntpd | 136 | ········-·ntpd |
| Offset 192, 50 lines modified | Offset 159, 14 lines modified | ||
| 192 | ········-·unknown_severity | 159 | ········-·unknown_severity |
| 193 | ········-·disable_strategy | 160 | ········-·disable_strategy |
| 194 | ········-·low_complexity | 161 | ········-·low_complexity |
| 195 | ········-·low_disruption | 162 | ········-·low_disruption |
| 196 | ········-·CCE-26899-5 | 163 | ········-·CCE-26899-5 |
| 197 | ········-·NIST-800-53-CM-7 | 164 | ········-·NIST-800-53-CM-7 |
| 198 | ···· | 165 | ···· |
| 199 | ····-·name:·Enable·service·crond | ||
| 200 | ······service: | ||
| 201 | ········name="{{item}}" | ||
| 202 | ········enabled="yes" | ||
| 203 | ········state="started" | ||
| 204 | ······with_items: | ||
| 205 | ········-·crond | ||
| 206 | ······tags: | ||
| 207 | ········-·service_crond_enabled | ||
| 208 | ········-·medium_severity | ||
| 209 | ········-·enable_strategy | ||
| 210 | ········-·low_complexity | ||
| 211 | ········-·low_disruption | ||
| 212 | ········-·CCE-27070-2 | ||
| 213 | ········-·NIST-800-53-CM-7 | ||
| 214 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 215 | ···· | ||
| 216 | ····-·name:·Disable·service·atd | ||
| 217 | ······service: | ||
| 218 | ········name="{{item}}" | ||
| 219 | ········enabled="no" | ||
| 220 | ········state="stopped" | ||
| 221 | ······register:·service_result | ||
| 222 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 223 | ······with_items: | ||
| Max diff block lines reached; 102912/107604 bytes (95.64%) of diff not shown. | |||
| Offset 31, 43 lines modified | Offset 31, 43 lines modified | ||
| 31 | ·······assert: | 31 | ·······assert: |
| 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 33 | ·········msg:·> | 33 | ·········msg:·> |
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······var_auditd_max_log_file:·6 | ||
| 39 | ······var_auditd_admin_space_left_action:·single | ||
| 40 | ······var_auditd_max_log_file_action:·rotate | ||
| 38 | ······rsyslog_remote_loghost_address:·None | 41 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 44 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 51 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_c | 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 54 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 52 | ······var_selinux_policy_name:·targeted | 55 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 56 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 57 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | 58 | ······var_accounts_minimum_age_login_defs:·7 |
| 59 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 60 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 61 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 62 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 63 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 64 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 65 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 66 | ······var_accounts_tmout:·600 |
| 64 | ······var_auditd_max_log_file:·6 | ||
| 65 | ······var_auditd_admin_space_left_action:·single | ||
| 66 | ······var_auditd_max_log_file_action:·rotate | ||
| 67 | ······var_removable_partition:·/dev/cdrom | 67 | ······var_removable_partition:·/dev/cdrom |
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Disable·service·vsftpd | 69 | ····-·name:·Disable·service·vsftpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="no" | 72 | ········enabled="no" |
| 73 | ········state="stopped" | 73 | ········state="stopped" |
| Offset 128, 47 lines modified | Offset 128, 14 lines modified | ||
| 128 | ········-·unknown_severity | 128 | ········-·unknown_severity |
| 129 | ········-·disable_strategy | 129 | ········-·disable_strategy |
| 130 | ········-·low_complexity | 130 | ········-·low_complexity |
| 131 | ········-·low_disruption | 131 | ········-·low_disruption |
| 132 | ········-·CCE-27133-8 | 132 | ········-·CCE-27133-8 |
| 133 | ········-·NIST-800-53-CM-7 | 133 | ········-·NIST-800-53-CM-7 |
| 134 | ···· | 134 | ···· |
| 135 | ····-·name:·Ensure·dhcp·is·removed | ||
| 136 | ······package: | ||
| 137 | ········name="{{item}}" | ||
| 138 | ········state=absent | ||
| 139 | ······with_items: | ||
| 140 | ········-·dhcp | ||
| 141 | ······tags: | ||
| 142 | ········-·package_dhcp_removed | ||
| 143 | ········-·medium_severity | ||
| 144 | ········-·disable_strategy | ||
| 145 | ········-·low_complexity | ||
| 146 | ········-·low_disruption | ||
| 147 | ········-·CCE-27120-5 | ||
| 148 | ········-·NIST-800-53-CM-7 | ||
| 149 | ···· | ||
| 150 | ····-·name:·Disable·service·dhcpd | ||
| 151 | ······service: | ||
| 152 | ········name="{{item}}" | ||
| 153 | ········enabled="no" | ||
| 154 | ········state="stopped" | ||
| 155 | ······register:·service_result | ||
| 156 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 157 | ······with_items: | ||
| 158 | ········-·dhcpd | ||
| 159 | ······tags: | ||
| 160 | ········-·service_dhcpd_disabled | ||
| 161 | ········-·medium_severity | ||
| 162 | ········-·disable_strategy | ||
| 163 | ········-·low_complexity | ||
| 164 | ········-·low_disruption | ||
| 165 | ········-·CCE-27074-4 | ||
| 166 | ········-·NIST-800-53-CM-7 | ||
| 167 | ···· | ||
| 168 | ····-·name:·Enable·service·ntpd | 135 | ····-·name:·Enable·service·ntpd |
| 169 | ······service: | 136 | ······service: |
| 170 | ········name="{{item}}" | 137 | ········name="{{item}}" |
| 171 | ········enabled="yes" | 138 | ········enabled="yes" |
| 172 | ········state="started" | 139 | ········state="started" |
| 173 | ······with_items: | 140 | ······with_items: |
| 174 | ········-·ntpd | 141 | ········-·ntpd |
| Offset 210, 50 lines modified | Offset 177, 14 lines modified | ||
| 210 | ········-·service_snmpd_disabled | 177 | ········-·service_snmpd_disabled |
| 211 | ········-·unknown_severity | 178 | ········-·unknown_severity |
| 212 | ········-·disable_strategy | 179 | ········-·disable_strategy |
| 213 | ········-·low_complexity | 180 | ········-·low_complexity |
| 214 | ········-·low_disruption | 181 | ········-·low_disruption |
| 215 | ········-·CCE-26906-8 | 182 | ········-·CCE-26906-8 |
| 216 | ···· | 183 | ···· |
| 217 | ····-·name:·Enable·service·crond | ||
| 218 | ······service: | ||
| 219 | ········name="{{item}}" | ||
| 220 | ········enabled="yes" | ||
| 221 | ········state="started" | ||
| 222 | ······with_items: | ||
| 223 | ········-·crond | ||
| 224 | ······tags: | ||
| 225 | ········-·service_crond_enabled | ||
| 226 | ········-·medium_severity | ||
| 227 | ········-·enable_strategy | ||
| 228 | ········-·low_complexity | ||
| 229 | ········-·low_disruption | ||
| 230 | ········-·CCE-27070-2 | ||
| 231 | ········-·NIST-800-53-CM-7 | ||
| 232 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 233 | ···· | ||
| 234 | ····-·name:·Disable·service·atd | ||
| 235 | ······service: | ||
| 236 | ········name="{{item}}" | ||
| 237 | ········enabled="no" | ||
| 238 | ········state="stopped" | ||
| Max diff block lines reached; 120474/125324 bytes (96.13%) of diff not shown. | |||
| Offset 29, 46 lines modified | Offset 29, 46 lines modified | ||
| 29 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. | 29 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. |
| 30 | ·······assert: | 30 | ·······assert: |
| 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······var_auditd_max_log_file:·1 | ||
| 37 | ······var_auditd_action_mail_acct:·admin | ||
| 38 | ······var_auditd_space_left_action:·suspend | ||
| 39 | ······var_auditd_admin_space_left_action:·halt | ||
| 40 | ······var_auditd_max_log_file_action:·ignore | ||
| 36 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 41 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 37 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 38 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 39 | ······sysctl_net_ipv4_icmp_ | 44 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 45 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 47 | ······sysctl_net_ipv4_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 48 | ······sysctl_net_ipv4_c | 52 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 53 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 49 | ······var_selinux_policy_name:·targeted | 54 | ······var_selinux_policy_name:·targeted |
| 50 | ······var_selinux_state:·enforcing | 55 | ······var_selinux_state:·enforcing |
| 51 | ······var_accounts_password_minlen_login_defs:·12 | 56 | ······var_accounts_password_minlen_login_defs:·12 |
| 52 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 53 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 54 | ······var_accounts_minimum_age_login_defs:·1 | 57 | ······var_accounts_minimum_age_login_defs:·1 |
| 58 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 59 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 55 | ······var_account_disable_post_pw_expiration:·90 | 60 | ······var_account_disable_post_pw_expiration:·90 |
| 56 | ······var_password_pam_unix_remember:·24 | 61 | ······var_password_pam_unix_remember:·24 |
| 57 | ······var_accounts_passwords_pam_faillock_deny:·3 | 62 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 58 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 63 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 59 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 64 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 60 | ······var_password_pam_maxrepeat:·3 | 65 | ······var_password_pam_maxrepeat:·3 |
| 61 | ······var_password_pam_retry:·3 | 66 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_max_concurrent_login_sessions:·1 | 67 | ······var_accounts_max_concurrent_login_sessions:·1 |
| 63 | ······var_auditd_action_mail_acct:·admin | ||
| 64 | ······var_auditd_max_log_file:·1 | ||
| 65 | ······var_auditd_space_left_action:·suspend | ||
| 66 | ······var_auditd_admin_space_left_action:·halt | ||
| 67 | ······var_auditd_max_log_file_action:·ignore | ||
| 68 | ······var_removable_partition:·/dev/cdrom | 68 | ······var_removable_partition:·/dev/cdrom |
| 69 | ······var_removable_partition:·/dev/cdrom | 69 | ······var_removable_partition:·/dev/cdrom |
| 70 | ······var_removable_partition:·/dev/cdrom | 70 | ······var_removable_partition:·/dev/cdrom |
| 71 | ···tasks: | 71 | ···tasks: |
| 72 | ····-·name:·Enable·service·ntpd | 72 | ····-·name:·Enable·service·ntpd |
| 73 | ······service: | 73 | ······service: |
| 74 | ········name="{{item}}" | 74 | ········name="{{item}}" |
| Offset 83, 50 lines modified | Offset 83, 14 lines modified | ||
| 83 | ········-·low_complexity | 83 | ········-·low_complexity |
| 84 | ········-·low_disruption | 84 | ········-·low_disruption |
| 85 | ········-·CCE-27093-4 | 85 | ········-·CCE-27093-4 |
| 86 | ········-·NIST-800-53-AU-8(1) | 86 | ········-·NIST-800-53-AU-8(1) |
| 87 | ········-·PCI-DSS-Req-10.4 | 87 | ········-·PCI-DSS-Req-10.4 |
| 88 | ········-·DISA-STIG-RHEL-06-000247 | 88 | ········-·DISA-STIG-RHEL-06-000247 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·Enable·service·crond | ||
| 91 | ······service: | ||
| 92 | ········name="{{item}}" | ||
| 93 | ········enabled="yes" | ||
| 94 | ········state="started" | ||
| 95 | ······with_items: | ||
| 96 | ········-·crond | ||
| 97 | ······tags: | ||
| 98 | ········-·service_crond_enabled | ||
| 99 | ········-·medium_severity | ||
| 100 | ········-·enable_strategy | ||
| 101 | ········-·low_complexity | ||
| 102 | ········-·low_disruption | ||
| 103 | ········-·CCE-27070-2 | ||
| 104 | ········-·NIST-800-53-CM-7 | ||
| 105 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 106 | ···· | ||
| 107 | ····-·name:·Disable·service·atd | ||
| 108 | ······service: | ||
| 109 | ········name="{{item}}" | ||
| 110 | ········enabled="no" | ||
| 111 | ········state="stopped" | ||
| 112 | ······register:·service_result | ||
| 113 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 114 | ······with_items: | ||
| 115 | ········-·atd | ||
| 116 | ······tags: | ||
| 117 | ········-·service_atd_disabled | ||
| 118 | ········-·unknown_severity | ||
| 119 | ········-·disable_strategy | ||
| 120 | ········-·low_complexity | ||
| 121 | ········-·low_disruption | ||
| 122 | ········-·CCE-27249-2 | ||
| 123 | ········-·NIST-800-53-CM-7 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 125 | ···· | ||
| 126 | ····-·name:·Ensure·rsh·is·removed | 90 | ····-·name:·Ensure·rsh·is·removed |
| 127 | ······package: | 91 | ······package: |
| 128 | ········name="{{item}}" | 92 | ········name="{{item}}" |
| 129 | ········state=absent | 93 | ········state=absent |
| 130 | ······with_items: | 94 | ······with_items: |
| 131 | ········-·rsh | 95 | ········-·rsh |
| 132 | ······tags: | 96 | ······tags: |
| Offset 279, 30 lines modified | Offset 243, 66 lines modified | ||
| 279 | ········-·disable_strategy | 243 | ········-·disable_strategy |
| 280 | ········-·low_complexity | 244 | ········-·low_complexity |
| 281 | ········-·low_disruption | 245 | ········-·low_disruption |
| 282 | ········-·CCE-27005-8 | 246 | ········-·CCE-27005-8 |
| 283 | ········-·NIST-800-53-CM-7 | 247 | ········-·NIST-800-53-CM-7 |
| 284 | ········-·DISA-STIG-RHEL-06-000204 | 248 | ········-·DISA-STIG-RHEL-06-000204 |
| 285 | ···· | 249 | ···· |
| 286 | ····-·name:· | 250 | ····-·name:·Enable·service·crond |
| 251 | ······service: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········enabled="yes" | ||
| 254 | ········state="started" | ||
| 255 | ······with_items: | ||
| 256 | ········-·crond | ||
| 257 | ······tags: | ||
| 258 | ········-·service_crond_enabled | ||
| 259 | ········-·medium_severity | ||
| 260 | ········-·enable_strategy | ||
| 261 | ········-·low_complexity | ||
| 262 | ········-·low_disruption | ||
| 263 | ········-·CCE-27070-2 | ||
| Max diff block lines reached; 114846/119591 bytes (96.03%) of diff not shown. | |||
| Offset 30, 43 lines modified | Offset 30, 43 lines modified | ||
| 30 | ·······assert: | 30 | ·······assert: |
| 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······var_auditd_max_log_file:·6 | ||
| 38 | ······var_auditd_admin_space_left_action:·single | ||
| 39 | ······var_auditd_max_log_file_action:·rotate | ||
| 37 | ······rsyslog_remote_loghost_address:·None | 40 | ······rsyslog_remote_loghost_address:·None |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 43 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 45 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_ | 47 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 50 | ······sysctl_net_ipv4_c | 52 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 53 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 51 | ······var_selinux_policy_name:·targeted | 54 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 55 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·15 | 56 | ······var_accounts_password_minlen_login_defs:·15 |
| 54 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·7 | 57 | ······var_accounts_minimum_age_login_defs:·7 |
| 58 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 59 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_password_pam_unix_remember:·5 | 60 | ······var_password_pam_unix_remember:·5 |
| 58 | ······var_accounts_passwords_pam_faillock_deny:·3 | 61 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 59 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 62 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 60 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 63 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 61 | ······var_password_pam_retry:·3 | 64 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_tmout:·600 | 65 | ······var_accounts_tmout:·600 |
| 63 | ······var_auditd_max_log_file:·6 | ||
| 64 | ······var_auditd_admin_space_left_action:·single | ||
| 65 | ······var_auditd_max_log_file_action:·rotate | ||
| 66 | ······var_removable_partition:·/dev/cdrom | 66 | ······var_removable_partition:·/dev/cdrom |
| 67 | ···tasks: | 67 | ···tasks: |
| 68 | ····-·name:·Ensure·vsftpd·is·installed | 68 | ····-·name:·Ensure·vsftpd·is·installed |
| 69 | ······package: | 69 | ······package: |
| 70 | ········name="{{item}}" | 70 | ········name="{{item}}" |
| 71 | ········state=present | 71 | ········state=present |
| 72 | ······with_items: | 72 | ······with_items: |
| Offset 94, 65 lines modified | Offset 94, 14 lines modified | ||
| 94 | ········-·low_complexity | 94 | ········-·low_complexity |
| 95 | ········-·low_disruption | 95 | ········-·low_disruption |
| 96 | ········-·CCE-27093-4 | 96 | ········-·CCE-27093-4 |
| 97 | ········-·NIST-800-53-AU-8(1) | 97 | ········-·NIST-800-53-AU-8(1) |
| 98 | ········-·PCI-DSS-Req-10.4 | 98 | ········-·PCI-DSS-Req-10.4 |
| 99 | ········-·DISA-STIG-RHEL-06-000247 | 99 | ········-·DISA-STIG-RHEL-06-000247 |
| 100 | ···· | 100 | ···· |
| 101 | ····-·name:·Enable·service·crond | ||
| 102 | ······service: | ||
| 103 | ········name="{{item}}" | ||
| 104 | ········enabled="yes" | ||
| 105 | ········state="started" | ||
| 106 | ······with_items: | ||
| 107 | ········-·crond | ||
| 108 | ······tags: | ||
| 109 | ········-·service_crond_enabled | ||
| 110 | ········-·medium_severity | ||
| 111 | ········-·enable_strategy | ||
| 112 | ········-·low_complexity | ||
| 113 | ········-·low_disruption | ||
| 114 | ········-·CCE-27070-2 | ||
| 115 | ········-·NIST-800-53-CM-7 | ||
| 116 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 117 | ···· | ||
| 118 | ····-·name:·Disable·service·atd | ||
| 119 | ······service: | ||
| 120 | ········name="{{item}}" | ||
| 121 | ········enabled="no" | ||
| 122 | ········state="stopped" | ||
| 123 | ······register:·service_result | ||
| 124 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 125 | ······with_items: | ||
| 126 | ········-·atd | ||
| 127 | ······tags: | ||
| 128 | ········-·service_atd_disabled | ||
| 129 | ········-·unknown_severity | ||
| 130 | ········-·disable_strategy | ||
| 131 | ········-·low_complexity | ||
| 132 | ········-·low_disruption | ||
| 133 | ········-·CCE-27249-2 | ||
| 134 | ········-·NIST-800-53-CM-7 | ||
| 135 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 136 | ···· | ||
| 137 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 138 | ······package: | ||
| 139 | ········name="{{item}}" | ||
| 140 | ········state=absent | ||
| 141 | ······with_items: | ||
| 142 | ········-·xorg-x11-server-common | ||
| 143 | ······tags: | ||
| 144 | ········-·package_xorg-x11-server-common_removed | ||
| 145 | ········-·unknown_severity | ||
| 146 | ········-·disable_strategy | ||
| 147 | ········-·low_complexity | ||
| 148 | ········-·low_disruption | ||
| 149 | ········-·CCE-27198-1 | ||
| 150 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 151 | ···· | ||
| 152 | ····-·name:·Ensure·rsh-server·is·removed | 101 | ····-·name:·Ensure·rsh-server·is·removed |
| 153 | ······package: | 102 | ······package: |
| 154 | ········name="{{item}}" | 103 | ········name="{{item}}" |
| 155 | ········state=absent | 104 | ········state=absent |
| 156 | ······with_items: | 105 | ······with_items: |
| 157 | ········-·rsh-server | 106 | ········-·rsh-server |
| 158 | ······tags: | 107 | ······tags: |
| Offset 307, 14 lines modified | Offset 256, 81 lines modified | ||
| 307 | ········-·disable_strategy | 256 | ········-·disable_strategy |
| 308 | ········-·low_complexity | 257 | ········-·low_complexity |
| 309 | ········-·low_disruption | 258 | ········-·low_disruption |
| 310 | ········-·CCE-27005-8 | 259 | ········-·CCE-27005-8 |
| 311 | ········-·NIST-800-53-CM-7 | 260 | ········-·NIST-800-53-CM-7 |
| 312 | ········-·DISA-STIG-RHEL-06-000204 | 261 | ········-·DISA-STIG-RHEL-06-000204 |
| 313 | ···· | 262 | ···· |
| 263 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 264 | ······package: | ||
| 265 | ········name="{{item}}" | ||
| 266 | ········state=absent | ||
| Max diff block lines reached; 103453/109628 bytes (94.37%) of diff not shown. | |||
| Offset 34, 47 lines modified | Offset 34, 47 lines modified | ||
| 34 | ·······assert: | 34 | ·······assert: |
| 35 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 35 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 36 | ·········msg:·> | 36 | ·········msg:·> |
| 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·300 | 40 | ······sshd_idle_timeout_value:·300 |
| 41 | ······var_auditd_max_log_file:·6 | ||
| 42 | ······var_auditd_action_mail_acct:·admin | ||
| 43 | ······var_auditd_space_left_action:·suspend | ||
| 44 | ······var_auditd_admin_space_left_action:·single | ||
| 45 | ······var_auditd_max_log_file_action:·rotate | ||
| 41 | ······rsyslog_remote_loghost_address:·None | 46 | ······rsyslog_remote_loghost_address:·None |
| 42 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_ | 54 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 55 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 56 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 57 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 54 | ······sysctl_net_ipv4_ | 58 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 55 | ······sysctl_net_ipv4_c | 59 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 60 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 56 | ······var_selinux_policy_name:·targeted | 61 | ······var_selinux_policy_name:·targeted |
| 57 | ······var_selinux_state:·enforcing | 62 | ······var_selinux_state:·enforcing |
| 58 | ······var_accounts_password_minlen_login_defs:·15 | 63 | ······var_accounts_password_minlen_login_defs:·15 |
| 59 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_minimum_age_login_defs:·7 | 64 | ······var_accounts_minimum_age_login_defs:·7 |
| 65 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 66 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 62 | ······var_account_disable_post_pw_expiration:·40 | 67 | ······var_account_disable_post_pw_expiration:·40 |
| 63 | ······var_password_pam_unix_remember:·5 | 68 | ······var_password_pam_unix_remember:·5 |
| 64 | ······var_accounts_passwords_pam_faillock_deny:·3 | 69 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 65 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 | 70 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 |
| 66 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 71 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 67 | ······var_password_pam_retry:·3 | 72 | ······var_password_pam_retry:·3 |
| 68 | ······var_accounts_tmout:·600 | 73 | ······var_accounts_tmout:·600 |
| 69 | ······var_auditd_action_mail_acct:·admin | ||
| 70 | ······var_auditd_max_log_file:·6 | ||
| 71 | ······var_auditd_space_left_action:·suspend | ||
| 72 | ······var_auditd_admin_space_left_action:·single | ||
| 73 | ······var_auditd_max_log_file_action:·rotate | ||
| 74 | ······var_removable_partition:·/dev/cdrom | 74 | ······var_removable_partition:·/dev/cdrom |
| 75 | ······var_removable_partition:·/dev/cdrom | 75 | ······var_removable_partition:·/dev/cdrom |
| 76 | ······var_removable_partition:·/dev/cdrom | 76 | ······var_removable_partition:·/dev/cdrom |
| 77 | ···tasks: | 77 | ···tasks: |
| 78 | ····-·name:·Ensure·vsftpd·is·removed | 78 | ····-·name:·Ensure·vsftpd·is·removed |
| 79 | ······package: | 79 | ······package: |
| 80 | ········name="{{item}}" | 80 | ········name="{{item}}" |
| Offset 119, 47 lines modified | Offset 119, 14 lines modified | ||
| 119 | ········-·unknown_severity | 119 | ········-·unknown_severity |
| 120 | ········-·disable_strategy | 120 | ········-·disable_strategy |
| 121 | ········-·low_complexity | 121 | ········-·low_complexity |
| 122 | ········-·low_disruption | 122 | ········-·low_disruption |
| 123 | ········-·CCE-27133-8 | 123 | ········-·CCE-27133-8 |
| 124 | ········-·NIST-800-53-CM-7 | 124 | ········-·NIST-800-53-CM-7 |
| 125 | ···· | 125 | ···· |
| 126 | ····-·name:·Ensure·dhcp·is·removed | ||
| 127 | ······package: | ||
| 128 | ········name="{{item}}" | ||
| 129 | ········state=absent | ||
| 130 | ······with_items: | ||
| 131 | ········-·dhcp | ||
| 132 | ······tags: | ||
| 133 | ········-·package_dhcp_removed | ||
| 134 | ········-·medium_severity | ||
| 135 | ········-·disable_strategy | ||
| 136 | ········-·low_complexity | ||
| 137 | ········-·low_disruption | ||
| 138 | ········-·CCE-27120-5 | ||
| 139 | ········-·NIST-800-53-CM-7 | ||
| 140 | ···· | ||
| 141 | ····-·name:·Disable·service·dhcpd | ||
| 142 | ······service: | ||
| 143 | ········name="{{item}}" | ||
| 144 | ········enabled="no" | ||
| 145 | ········state="stopped" | ||
| 146 | ······register:·service_result | ||
| 147 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 148 | ······with_items: | ||
| 149 | ········-·dhcpd | ||
| 150 | ······tags: | ||
| 151 | ········-·service_dhcpd_disabled | ||
| 152 | ········-·medium_severity | ||
| 153 | ········-·disable_strategy | ||
| 154 | ········-·low_complexity | ||
| 155 | ········-·low_disruption | ||
| 156 | ········-·CCE-27074-4 | ||
| 157 | ········-·NIST-800-53-CM-7 | ||
| 158 | ···· | ||
| 159 | ····-·name:·Enable·service·ntpd | 126 | ····-·name:·Enable·service·ntpd |
| 160 | ······service: | 127 | ······service: |
| 161 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 162 | ········enabled="yes" | 129 | ········enabled="yes" |
| 163 | ········state="started" | 130 | ········state="started" |
| 164 | ······with_items: | 131 | ······with_items: |
| 165 | ········-·ntpd | 132 | ········-·ntpd |
| Offset 188, 50 lines modified | Offset 155, 14 lines modified | ||
| 188 | ········-·unknown_severity | 155 | ········-·unknown_severity |
| 189 | ········-·disable_strategy | 156 | ········-·disable_strategy |
| 190 | ········-·low_complexity | 157 | ········-·low_complexity |
| 191 | ········-·low_disruption | 158 | ········-·low_disruption |
| 192 | ········-·CCE-26899-5 | 159 | ········-·CCE-26899-5 |
| 193 | ········-·NIST-800-53-CM-7 | 160 | ········-·NIST-800-53-CM-7 |
| 194 | ···· | 161 | ···· |
| 195 | ····-·name:·Enable·service·crond | ||
| 196 | ······service: | ||
| 197 | ········name="{{item}}" | ||
| 198 | ········enabled="yes" | ||
| 199 | ········state="started" | ||
| 200 | ······with_items: | ||
| 201 | ········-·crond | ||
| 202 | ······tags: | ||
| 203 | ········-·service_crond_enabled | ||
| 204 | ········-·medium_severity | ||
| 205 | ········-·enable_strategy | ||
| 206 | ········-·low_complexity | ||
| 207 | ········-·low_disruption | ||
| 208 | ········-·CCE-27070-2 | ||
| 209 | ········-·NIST-800-53-CM-7 | ||
| 210 | ········-·DISA-STIG-RHEL-06-000224 | ||
| Max diff block lines reached; 142180/147328 bytes (96.51%) of diff not shown. | |||
| Offset 30, 26 lines modified | Offset 30, 26 lines modified | ||
| 30 | ·······assert: | 30 | ·······assert: |
| 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·900 | 36 | ······sshd_idle_timeout_value:·900 |
| 37 | ······var_auditd_max_log_file:·1 | ||
| 38 | ······var_auditd_action_mail_acct:·admin | ||
| 39 | ······var_auditd_space_left_action:·suspend | ||
| 40 | ······var_auditd_admin_space_left_action:·suspend | ||
| 41 | ······var_auditd_max_log_file_action:·ignore | ||
| 37 | ······var_accounts_maximum_age_login_defs:·90 | 42 | ······var_accounts_maximum_age_login_defs:·90 |
| 38 | ······var_account_disable_post_pw_expiration:·90 | 43 | ······var_account_disable_post_pw_expiration:·90 |
| 39 | ······var_password_pam_unix_remember:·4 | 44 | ······var_password_pam_unix_remember:·4 |
| 40 | ······var_accounts_passwords_pam_faillock_deny:·6 | 45 | ······var_accounts_passwords_pam_faillock_deny:·6 |
| 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 | 46 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 |
| 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 47 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 43 | ······var_password_pam_minlen:·7 | 48 | ······var_password_pam_minlen:·7 |
| 44 | ······var_auditd_action_mail_acct:·admin | ||
| 45 | ······var_auditd_max_log_file:·1 | ||
| 46 | ······var_auditd_space_left_action:·suspend | ||
| 47 | ······var_auditd_admin_space_left_action:·suspend | ||
| 48 | ······var_auditd_max_log_file_action:·ignore | ||
| 49 | ···tasks: | 49 | ···tasks: |
| 50 | ····-·name:·Enable·service·ntpd | 50 | ····-·name:·Enable·service·ntpd |
| 51 | ······service: | 51 | ······service: |
| 52 | ········name="{{item}}" | 52 | ········name="{{item}}" |
| 53 | ········enabled="yes" | 53 | ········enabled="yes" |
| 54 | ········state="started" | 54 | ········state="started" |
| 55 | ······with_items: | 55 | ······with_items: |
| Offset 83, 723 lines modified | Offset 83, 34 lines modified | ||
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-26919-1 | 84 | ········-·CCE-26919-1 |
| 85 | ········-·NIST-800-53-AC-2(5) | 85 | ········-·NIST-800-53-AC-2(5) |
| 86 | ········-·NIST-800-53-SA-8 | 86 | ········-·NIST-800-53-SA-8 |
| 87 | ········-·PCI-DSS-Req-8.1.8 | 87 | ········-·PCI-DSS-Req-8.1.8 |
| 88 | ········-·DISA-STIG-RHEL-06-000230 | 88 | ········-·DISA-STIG-RHEL-06-000230 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·"Read·list·of·files·with·incorrect·permissions" | ||
| 91 | ······shell:·"rpm·-Va·|·grep·'^.M'·|·cut·-d·'·'·-f5-·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 92 | ······register:·files_with_incorrect_permissions | ||
| 93 | ······failed_when:·False | ||
| 94 | ······changed_when:·False | ||
| 95 | ······check_mode:·no | ||
| 96 | ······tags: | ||
| 97 | ········-·rpm_verify_permissions | ||
| 98 | ········-·unknown_severity | ||
| 99 | ········-·restrict_strategy | ||
| 100 | ········-·high_complexity | ||
| 101 | ········-·medium_disruption | ||
| 102 | ········-·CCE-26731-0 | ||
| 103 | ········-·NIST-800-53-AC-6 | ||
| 104 | ········-·NIST-800-53-CM-6(d) | ||
| 105 | ········-·NIST-800-53-SI-7 | ||
| 106 | ········-·PCI-DSS-Req-11.5 | ||
| 107 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 108 | ···· | ||
| 109 | ····-·name:·"Correct·file·permissions·with·RPM" | ||
| 110 | ······shell:·"rpm·--setperms·$(rpm·-qf·'{{item}}')" | ||
| 111 | ······with_items:·"{{·files_with_incorrect_permissions.stdout_lines·}}" | ||
| 112 | ······when:·files_with_incorrect_permissions.stdout_lines·|·length·>·0 | ||
| 113 | ······tags: | ||
| 114 | ········-·rpm_verify_permissions | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·restrict_strategy | ||
| 117 | ········-·high_complexity | ||
| 118 | ········-·medium_disruption | ||
| 119 | ········-·CCE-26731-0 | ||
| 120 | ········-·NIST-800-53-AC-6 | ||
| 121 | ········-·NIST-800-53-CM-6(d) | ||
| 122 | ········-·NIST-800-53-SI-7 | ||
| 123 | ········-·PCI-DSS-Req-11.5 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 125 | ···· | ||
| 126 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(dnf)" | ||
| 127 | ······set_fact: | ||
| 128 | ········package_manager_reinstall_cmd:·dnf·reinstall·-y | ||
| 129 | ······when:·ansible_distribution·==·"Fedora" | ||
| 130 | ······tags: | ||
| 131 | ········-·rpm_verify_hashes | ||
| 132 | ········-·unknown_severity | ||
| 133 | ········-·unknown_strategy | ||
| 134 | ········-·high_complexity | ||
| 135 | ········-·medium_disruption | ||
| 136 | ········-·CCE-27223-7 | ||
| 137 | ········-·NIST-800-53-CM-6(d) | ||
| 138 | ········-·NIST-800-53-SI-7 | ||
| 139 | ········-·PCI-DSS-Req-11.5 | ||
| 140 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 141 | ···· | ||
| 142 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(yum)" | ||
| 143 | ······set_fact: | ||
| 144 | ········package_manager_reinstall_cmd:·yum·reinstall·-y | ||
| 145 | ······when:·ansible_distribution·==·"RedHat"·or·ansible_distribution·==·"OracleLinux" | ||
| 146 | ······tags: | ||
| 147 | ········-·rpm_verify_hashes | ||
| 148 | ········-·unknown_severity | ||
| 149 | ········-·unknown_strategy | ||
| 150 | ········-·high_complexity | ||
| 151 | ········-·medium_disruption | ||
| 152 | ········-·CCE-27223-7 | ||
| 153 | ········-·NIST-800-53-CM-6(d) | ||
| 154 | ········-·NIST-800-53-SI-7 | ||
| 155 | ········-·PCI-DSS-Req-11.5 | ||
| 156 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 157 | ···· | ||
| 158 | ····-·name:·"Read·files·with·incorrect·hash" | ||
| 159 | ······shell:·"rpm·-Va·|·grep·-E·'^..5.*·/(bin|sbin|lib|lib64|usr)/'·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 160 | ······register:·files_with_incorrect_hash | ||
| 161 | ······changed_when:·False | ||
| 162 | ······when:·package_manager_reinstall_cmd·is·defined | ||
| 163 | ······check_mode:·no | ||
| 164 | ······tags: | ||
| 165 | ········-·rpm_verify_hashes | ||
| 166 | ········-·unknown_severity | ||
| 167 | ········-·unknown_strategy | ||
| 168 | ········-·high_complexity | ||
| 169 | ········-·medium_disruption | ||
| 170 | ········-·CCE-27223-7 | ||
| 171 | ········-·NIST-800-53-CM-6(d) | ||
| 172 | ········-·NIST-800-53-SI-7 | ||
| 173 | ········-·PCI-DSS-Req-11.5 | ||
| 174 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 175 | ···· | ||
| 176 | ····-·name:·"Reinstall·packages·of·files·with·incorrect·hash" | ||
| 177 | ······shell:·"{{package_manager_reinstall_cmd}}·$(rpm·-qf·'{{item}}')" | ||
| Max diff block lines reached; 56106/71240 bytes (78.76%) of diff not shown. | |||
| Offset 33, 42 lines modified | Offset 33, 23 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······var_selinux_policy_name:·targeted | 37 | ······var_selinux_policy_name:·targeted |
| 38 | ······var_selinux_state:·enforcing | 38 | ······var_selinux_state:·enforcing |
| 39 | ······var_accounts_password_minlen_login_defs:·6 | 39 | ······var_accounts_password_minlen_login_defs:·6 |
| 40 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_minimum_age_login_defs:·7 | 40 | ······var_accounts_minimum_age_login_defs:·7 |
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 43 | ······var_password_pam_unix_remember:·5 | 43 | ······var_password_pam_unix_remember:·5 |
| 44 | ······var_accounts_passwords_pam_faillock_deny:·5 | 44 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 47 | ······var_password_pam_retry:·3 | 47 | ······var_password_pam_retry:·3 |
| 48 | ···tasks: | 48 | ···tasks: |
| 49 | ····-·name:·Disable·service·atd | ||
| 50 | ······service: | ||
| 51 | ········name="{{item}}" | ||
| 52 | ········enabled="no" | ||
| 53 | ········state="stopped" | ||
| 54 | ······register:·service_result | ||
| 55 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 56 | ······with_items: | ||
| 57 | ········-·atd | ||
| 58 | ······tags: | ||
| 59 | ········-·service_atd_disabled | ||
| 60 | ········-·unknown_severity | ||
| 61 | ········-·disable_strategy | ||
| 62 | ········-·low_complexity | ||
| 63 | ········-·low_disruption | ||
| 64 | ········-·CCE-27249-2 | ||
| 65 | ········-·NIST-800-53-CM-7 | ||
| 66 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 67 | ···· | ||
| 68 | ····-·name:·Ensure·rsh-server·is·removed | 49 | ····-·name:·Ensure·rsh-server·is·removed |
| 69 | ······package: | 50 | ······package: |
| 70 | ········name="{{item}}" | 51 | ········name="{{item}}" |
| 71 | ········state=absent | 52 | ········state=absent |
| 72 | ······with_items: | 53 | ······with_items: |
| 73 | ········-·rsh-server | 54 | ········-·rsh-server |
| 74 | ······tags: | 55 | ······tags: |
| Offset 198, 14 lines modified | Offset 179, 33 lines modified | ||
| 198 | ········-·disable_strategy | 179 | ········-·disable_strategy |
| 199 | ········-·low_complexity | 180 | ········-·low_complexity |
| 200 | ········-·low_disruption | 181 | ········-·low_disruption |
| 201 | ········-·CCE-27005-8 | 182 | ········-·CCE-27005-8 |
| 202 | ········-·NIST-800-53-CM-7 | 183 | ········-·NIST-800-53-CM-7 |
| 203 | ········-·DISA-STIG-RHEL-06-000204 | 184 | ········-·DISA-STIG-RHEL-06-000204 |
| 204 | ···· | 185 | ···· |
| 186 | ····-·name:·Disable·service·atd | ||
| 187 | ······service: | ||
| 188 | ········name="{{item}}" | ||
| 189 | ········enabled="no" | ||
| 190 | ········state="stopped" | ||
| 191 | ······register:·service_result | ||
| 192 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 193 | ······with_items: | ||
| 194 | ········-·atd | ||
| 195 | ······tags: | ||
| 196 | ········-·service_atd_disabled | ||
| 197 | ········-·unknown_severity | ||
| 198 | ········-·disable_strategy | ||
| 199 | ········-·low_complexity | ||
| 200 | ········-·low_disruption | ||
| 201 | ········-·CCE-27249-2 | ||
| 202 | ········-·NIST-800-53-CM-7 | ||
| 203 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 204 | ···· | ||
| 205 | ····-·name:·Disable·service·rdisc | 205 | ····-·name:·Disable·service·rdisc |
| 206 | ······service: | 206 | ······service: |
| 207 | ········name="{{item}}" | 207 | ········name="{{item}}" |
| 208 | ········enabled="no" | 208 | ········enabled="no" |
| 209 | ········state="stopped" | 209 | ········state="stopped" |
| 210 | ······register:·service_result | 210 | ······register:·service_result |
| 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 294, 14 lines modified | Offset 294, 33 lines modified | ||
| 294 | ········-·disable_strategy | 294 | ········-·disable_strategy |
| 295 | ········-·low_complexity | 295 | ········-·low_complexity |
| 296 | ········-·low_disruption | 296 | ········-·low_disruption |
| 297 | ········-·CCE-27256-7 | 297 | ········-·CCE-27256-7 |
| 298 | ········-·NIST-800-53-CM-7 | 298 | ········-·NIST-800-53-CM-7 |
| 299 | ········-·DISA-STIG-RHEL-06-000265 | 299 | ········-·DISA-STIG-RHEL-06-000265 |
| 300 | ···· | 300 | ···· |
| 301 | ····-·name:·Disable·service·avahi-daemon | ||
| 302 | ······service: | ||
| 303 | ········name="{{item}}" | ||
| 304 | ········enabled="no" | ||
| 305 | ········state="stopped" | ||
| 306 | ······register:·service_result | ||
| 307 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 308 | ······with_items: | ||
| 309 | ········-·avahi-daemon | ||
| 310 | ······tags: | ||
| 311 | ········-·service_avahi-daemon_disabled | ||
| 312 | ········-·unknown_severity | ||
| 313 | ········-·disable_strategy | ||
| 314 | ········-·low_complexity | ||
| 315 | ········-·low_disruption | ||
| 316 | ········-·CCE-27087-6 | ||
| 317 | ········-·NIST-800-53-CM-7 | ||
| 318 | ········-·DISA-STIG-RHEL-06-000246 | ||
| 319 | ···· | ||
| 301 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files | 320 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files |
| 302 | ······lineinfile: | 321 | ······lineinfile: |
| 303 | ········create:·yes | 322 | ········create:·yes |
| 304 | ········dest:·/etc/ssh/sshd_config | 323 | ········dest:·/etc/ssh/sshd_config |
| 305 | ········regexp:·^IgnoreRhosts | 324 | ········regexp:·^IgnoreRhosts |
| 306 | ········line:·IgnoreRhosts·yes | 325 | ········line:·IgnoreRhosts·yes |
| 307 | ········validate:·sshd·-t·-f·%s | 326 | ········validate:·sshd·-t·-f·%s |
| Offset 480, 219 lines modified | Offset 499, 14 lines modified | ||
| 480 | ········-·low_disruption | 499 | ········-·low_disruption |
| 481 | ········-·CCE-27100-7 | 500 | ········-·CCE-27100-7 |
| 482 | ········-·NIST-800-53-AC-3 | 501 | ········-·NIST-800-53-AC-3 |
| 483 | ········-·NIST-800-53-AC-6(2) | 502 | ········-·NIST-800-53-AC-6(2) |
| 484 | ········-·NIST-800-53-IA-2(1) | 503 | ········-·NIST-800-53-IA-2(1) |
| 485 | ········-·DISA-STIG-RHEL-06-000237 | 504 | ········-·DISA-STIG-RHEL-06-000237 |
| 486 | ···· | 505 | ···· |
| 487 | ····-·name:·Disable·service·avahi-daemon | ||
| 488 | ······service: | ||
| 489 | ········name="{{item}}" | ||
| 490 | ········enabled="no" | ||
| 491 | ········state="stopped" | ||
| 492 | ······register:·service_result | ||
| 493 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| Max diff block lines reached; 12595/22494 bytes (55.99%) of diff not shown. | |||
| Offset 31, 43 lines modified | Offset 31, 43 lines modified | ||
| 31 | ·······assert: | 31 | ·······assert: |
| 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 33 | ·········msg:·> | 33 | ·········msg:·> |
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······var_auditd_max_log_file:·6 | ||
| 39 | ······var_auditd_admin_space_left_action:·single | ||
| 40 | ······var_auditd_max_log_file_action:·rotate | ||
| 38 | ······rsyslog_remote_loghost_address:·None | 41 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 44 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 51 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_c | 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 54 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 52 | ······var_selinux_policy_name:·targeted | 55 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 56 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 57 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | 58 | ······var_accounts_minimum_age_login_defs:·7 |
| 59 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 60 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 61 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 62 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 63 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 64 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 65 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 66 | ······var_accounts_tmout:·600 |
| 64 | ······var_auditd_max_log_file:·6 | ||
| 65 | ······var_auditd_admin_space_left_action:·single | ||
| 66 | ······var_auditd_max_log_file_action:·rotate | ||
| 67 | ······var_removable_partition:·/dev/cdrom | 67 | ······var_removable_partition:·/dev/cdrom |
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Enable·service·ntpd | 69 | ····-·name:·Enable·service·ntpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="yes" | 72 | ········enabled="yes" |
| 73 | ········state="started" | 73 | ········state="started" |
| Offset 80, 65 lines modified | Offset 80, 14 lines modified | ||
| 80 | ········-·low_complexity | 80 | ········-·low_complexity |
| 81 | ········-·low_disruption | 81 | ········-·low_disruption |
| 82 | ········-·CCE-27093-4 | 82 | ········-·CCE-27093-4 |
| 83 | ········-·NIST-800-53-AU-8(1) | 83 | ········-·NIST-800-53-AU-8(1) |
| 84 | ········-·PCI-DSS-Req-10.4 | 84 | ········-·PCI-DSS-Req-10.4 |
| 85 | ········-·DISA-STIG-RHEL-06-000247 | 85 | ········-·DISA-STIG-RHEL-06-000247 |
| 86 | ···· | 86 | ···· |
| 87 | ····-·name:·Enable·service·crond | ||
| 88 | ······service: | ||
| 89 | ········name="{{item}}" | ||
| 90 | ········enabled="yes" | ||
| 91 | ········state="started" | ||
| 92 | ······with_items: | ||
| 93 | ········-·crond | ||
| 94 | ······tags: | ||
| 95 | ········-·service_crond_enabled | ||
| 96 | ········-·medium_severity | ||
| 97 | ········-·enable_strategy | ||
| 98 | ········-·low_complexity | ||
| 99 | ········-·low_disruption | ||
| 100 | ········-·CCE-27070-2 | ||
| 101 | ········-·NIST-800-53-CM-7 | ||
| 102 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 103 | ···· | ||
| 104 | ····-·name:·Disable·service·atd | ||
| 105 | ······service: | ||
| 106 | ········name="{{item}}" | ||
| 107 | ········enabled="no" | ||
| 108 | ········state="stopped" | ||
| 109 | ······register:·service_result | ||
| 110 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 111 | ······with_items: | ||
| 112 | ········-·atd | ||
| 113 | ······tags: | ||
| 114 | ········-·service_atd_disabled | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·disable_strategy | ||
| 117 | ········-·low_complexity | ||
| 118 | ········-·low_disruption | ||
| 119 | ········-·CCE-27249-2 | ||
| 120 | ········-·NIST-800-53-CM-7 | ||
| 121 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 122 | ···· | ||
| 123 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 124 | ······package: | ||
| 125 | ········name="{{item}}" | ||
| 126 | ········state=absent | ||
| 127 | ······with_items: | ||
| 128 | ········-·xorg-x11-server-common | ||
| 129 | ······tags: | ||
| 130 | ········-·package_xorg-x11-server-common_removed | ||
| 131 | ········-·unknown_severity | ||
| 132 | ········-·disable_strategy | ||
| 133 | ········-·low_complexity | ||
| 134 | ········-·low_disruption | ||
| 135 | ········-·CCE-27198-1 | ||
| 136 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 137 | ···· | ||
| 138 | ····-·name:·Ensure·rsh-server·is·removed | 87 | ····-·name:·Ensure·rsh-server·is·removed |
| 139 | ······package: | 88 | ······package: |
| 140 | ········name="{{item}}" | 89 | ········name="{{item}}" |
| 141 | ········state=absent | 90 | ········state=absent |
| 142 | ······with_items: | 91 | ······with_items: |
| 143 | ········-·rsh-server | 92 | ········-·rsh-server |
| 144 | ······tags: | 93 | ······tags: |
| Offset 293, 14 lines modified | Offset 242, 81 lines modified | ||
| 293 | ········-·disable_strategy | 242 | ········-·disable_strategy |
| 294 | ········-·low_complexity | 243 | ········-·low_complexity |
| 295 | ········-·low_disruption | 244 | ········-·low_disruption |
| 296 | ········-·CCE-27005-8 | 245 | ········-·CCE-27005-8 |
| 297 | ········-·NIST-800-53-CM-7 | 246 | ········-·NIST-800-53-CM-7 |
| 298 | ········-·DISA-STIG-RHEL-06-000204 | 247 | ········-·DISA-STIG-RHEL-06-000204 |
| 299 | ···· | 248 | ···· |
| 249 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 250 | ······package: | ||
| 251 | ········name="{{item}}" | ||
| 252 | ········state=absent | ||
| Max diff block lines reached; 103453/109627 bytes (94.37%) of diff not shown. | |||
| Offset 32, 43 lines modified | Offset 32, 43 lines modified | ||
| 32 | ·······assert: | 32 | ·······assert: |
| 33 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 33 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 34 | ·········msg:·> | 34 | ·········msg:·> |
| 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 36 | ·········· | 36 | ·········· |
| 37 | ···vars: | 37 | ···vars: |
| 38 | ······sshd_idle_timeout_value:·300 | 38 | ······sshd_idle_timeout_value:·300 |
| 39 | ······var_auditd_max_log_file:·6 | ||
| 40 | ······var_auditd_admin_space_left_action:·single | ||
| 41 | ······var_auditd_max_log_file_action:·rotate | ||
| 39 | ······rsyslog_remote_loghost_address:·None | 42 | ······rsyslog_remote_loghost_address:·None |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 45 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_ | 49 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 50 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 51 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 52 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_ | 53 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_c | 54 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 53 | ······var_selinux_policy_name:·targeted | 56 | ······var_selinux_policy_name:·targeted |
| 54 | ······var_selinux_state:·enforcing | 57 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·15 | 58 | ······var_accounts_password_minlen_login_defs:·15 |
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 58 | ······var_accounts_minimum_age_login_defs:·7 | 59 | ······var_accounts_minimum_age_login_defs:·7 |
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 59 | ······var_password_pam_unix_remember:·5 | 62 | ······var_password_pam_unix_remember:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_deny:·3 | 63 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 64 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 62 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 65 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 63 | ······var_password_pam_retry:·3 | 66 | ······var_password_pam_retry:·3 |
| 64 | ······var_accounts_tmout:·600 | 67 | ······var_accounts_tmout:·600 |
| 65 | ······var_auditd_max_log_file:·6 | ||
| 66 | ······var_auditd_admin_space_left_action:·single | ||
| 67 | ······var_auditd_max_log_file_action:·rotate | ||
| 68 | ······var_removable_partition:·/dev/cdrom | 68 | ······var_removable_partition:·/dev/cdrom |
| 69 | ···tasks: | 69 | ···tasks: |
| 70 | ····-·name:·Enable·service·ntpd | 70 | ····-·name:·Enable·service·ntpd |
| 71 | ······service: | 71 | ······service: |
| 72 | ········name="{{item}}" | 72 | ········name="{{item}}" |
| 73 | ········enabled="yes" | 73 | ········enabled="yes" |
| 74 | ········state="started" | 74 | ········state="started" |
| Offset 81, 50 lines modified | Offset 81, 14 lines modified | ||
| 81 | ········-·low_complexity | 81 | ········-·low_complexity |
| 82 | ········-·low_disruption | 82 | ········-·low_disruption |
| 83 | ········-·CCE-27093-4 | 83 | ········-·CCE-27093-4 |
| 84 | ········-·NIST-800-53-AU-8(1) | 84 | ········-·NIST-800-53-AU-8(1) |
| 85 | ········-·PCI-DSS-Req-10.4 | 85 | ········-·PCI-DSS-Req-10.4 |
| 86 | ········-·DISA-STIG-RHEL-06-000247 | 86 | ········-·DISA-STIG-RHEL-06-000247 |
| 87 | ···· | 87 | ···· |
| 88 | ····-·name:·Enable·service·crond | ||
| 89 | ······service: | ||
| 90 | ········name="{{item}}" | ||
| 91 | ········enabled="yes" | ||
| 92 | ········state="started" | ||
| 93 | ······with_items: | ||
| 94 | ········-·crond | ||
| 95 | ······tags: | ||
| 96 | ········-·service_crond_enabled | ||
| 97 | ········-·medium_severity | ||
| 98 | ········-·enable_strategy | ||
| 99 | ········-·low_complexity | ||
| 100 | ········-·low_disruption | ||
| 101 | ········-·CCE-27070-2 | ||
| 102 | ········-·NIST-800-53-CM-7 | ||
| 103 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 104 | ···· | ||
| 105 | ····-·name:·Disable·service·atd | ||
| 106 | ······service: | ||
| 107 | ········name="{{item}}" | ||
| 108 | ········enabled="no" | ||
| 109 | ········state="stopped" | ||
| 110 | ······register:·service_result | ||
| 111 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 112 | ······with_items: | ||
| 113 | ········-·atd | ||
| 114 | ······tags: | ||
| 115 | ········-·service_atd_disabled | ||
| 116 | ········-·unknown_severity | ||
| 117 | ········-·disable_strategy | ||
| 118 | ········-·low_complexity | ||
| 119 | ········-·low_disruption | ||
| 120 | ········-·CCE-27249-2 | ||
| 121 | ········-·NIST-800-53-CM-7 | ||
| 122 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 123 | ···· | ||
| 124 | ····-·name:·Ensure·rsh-server·is·removed | 88 | ····-·name:·Ensure·rsh-server·is·removed |
| 125 | ······package: | 89 | ······package: |
| 126 | ········name="{{item}}" | 90 | ········name="{{item}}" |
| 127 | ········state=absent | 91 | ········state=absent |
| 128 | ······with_items: | 92 | ······with_items: |
| 129 | ········-·rsh-server | 93 | ········-·rsh-server |
| 130 | ······tags: | 94 | ······tags: |
| Offset 279, 14 lines modified | Offset 243, 66 lines modified | ||
| 279 | ········-·disable_strategy | 243 | ········-·disable_strategy |
| 280 | ········-·low_complexity | 244 | ········-·low_complexity |
| 281 | ········-·low_disruption | 245 | ········-·low_disruption |
| 282 | ········-·CCE-27005-8 | 246 | ········-·CCE-27005-8 |
| 283 | ········-·NIST-800-53-CM-7 | 247 | ········-·NIST-800-53-CM-7 |
| 284 | ········-·DISA-STIG-RHEL-06-000204 | 248 | ········-·DISA-STIG-RHEL-06-000204 |
| 285 | ···· | 249 | ···· |
| 250 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 251 | ······package: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········state=absent | ||
| 254 | ······with_items: | ||
| 255 | ········-·openldap-servers | ||
| 256 | ······tags: | ||
| 257 | ········-·package_openldap-servers_removed | ||
| 258 | ········-·unknown_severity | ||
| 259 | ········-·disable_strategy | ||
| 260 | ········-·low_complexity | ||
| 261 | ········-·low_disruption | ||
| 262 | ········-·CCE-26858-1 | ||
| 263 | ········-·NIST-800-53-CM-7 | ||
| 264 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 265 | ···· | ||
| 266 | ····-·name:·Enable·service·crond | ||
| 267 | ······service: | ||
| 268 | ········name="{{item}}" | ||
| Max diff block lines reached; 103453/108815 bytes (95.07%) of diff not shown. | |||
| Offset 37, 49 lines modified | Offset 37, 49 lines modified | ||
| 37 | ·······assert: | 37 | ·······assert: |
| 38 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 38 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 39 | ·········msg:·> | 39 | ·········msg:·> |
| 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 41 | ·········· | 41 | ·········· |
| 42 | ···vars: | 42 | ···vars: |
| 43 | ······sshd_idle_timeout_value:·900 | 43 | ······sshd_idle_timeout_value:·900 |
| 44 | ······var_auditd_max_log_file:·6 | ||
| 45 | ······var_auditd_action_mail_acct:·admin | ||
| 46 | ······var_auditd_space_left_action:·suspend | ||
| 47 | ······var_auditd_admin_space_left_action:·single | ||
| 48 | ······var_auditd_max_log_file_action:·rotate | ||
| 44 | ······rsyslog_remote_loghost_address:·None | 49 | ······rsyslog_remote_loghost_address:·None |
| 45 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 50 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 51 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_icmp_ | 52 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 53 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 54 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 55 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_conf_ | 56 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 52 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 53 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 57 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 54 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 58 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 55 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 59 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_ | 60 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_c | 61 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 62 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 58 | ······var_selinux_policy_name:·targeted | 63 | ······var_selinux_policy_name:·targeted |
| 59 | ······var_selinux_state:·enforcing | 64 | ······var_selinux_state:·enforcing |
| 60 | ······var_accounts_password_minlen_login_defs:·15 | 65 | ······var_accounts_password_minlen_login_defs:·15 |
| 61 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 62 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 63 | ······var_accounts_minimum_age_login_defs:·1 | 66 | ······var_accounts_minimum_age_login_defs:·1 |
| 67 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 68 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 64 | ······var_account_disable_post_pw_expiration:·35 | 69 | ······var_account_disable_post_pw_expiration:·35 |
| 65 | ······var_password_pam_unix_remember:·5 | 70 | ······var_password_pam_unix_remember:·5 |
| 66 | ······var_accounts_passwords_pam_faillock_deny:·3 | 71 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 67 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 72 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 68 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 73 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 69 | ······var_password_pam_maxrepeat:·3 | 74 | ······var_password_pam_maxrepeat:·3 |
| 70 | ······var_password_pam_retry:·3 | 75 | ······var_password_pam_retry:·3 |
| 71 | ······var_accounts_user_umask:·077 | 76 | ······var_accounts_user_umask:·077 |
| 72 | ······var_accounts_tmout:·600 | 77 | ······var_accounts_tmout:·600 |
| 73 | ······var_accounts_max_concurrent_login_sessions:·10 | 78 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 74 | ······var_auditd_action_mail_acct:·admin | ||
| 75 | ······var_auditd_max_log_file:·6 | ||
| 76 | ······var_auditd_space_left_action:·suspend | ||
| 77 | ······var_auditd_admin_space_left_action:·single | ||
| 78 | ······var_auditd_max_log_file_action:·rotate | ||
| 79 | ······var_removable_partition:·/dev/cdrom | 79 | ······var_removable_partition:·/dev/cdrom |
| 80 | ······var_removable_partition:·/dev/cdrom | 80 | ······var_removable_partition:·/dev/cdrom |
| 81 | ······var_removable_partition:·/dev/cdrom | 81 | ······var_removable_partition:·/dev/cdrom |
| 82 | ···tasks: | 82 | ···tasks: |
| 83 | ····-·name:·Enable·service·ntpd | 83 | ····-·name:·Enable·service·ntpd |
| 84 | ······service: | 84 | ······service: |
| 85 | ········name="{{item}}" | 85 | ········name="{{item}}" |
| Offset 94, 65 lines modified | Offset 94, 14 lines modified | ||
| 94 | ········-·low_complexity | 94 | ········-·low_complexity |
| 95 | ········-·low_disruption | 95 | ········-·low_disruption |
| 96 | ········-·CCE-27093-4 | 96 | ········-·CCE-27093-4 |
| 97 | ········-·NIST-800-53-AU-8(1) | 97 | ········-·NIST-800-53-AU-8(1) |
| 98 | ········-·PCI-DSS-Req-10.4 | 98 | ········-·PCI-DSS-Req-10.4 |
| 99 | ········-·DISA-STIG-RHEL-06-000247 | 99 | ········-·DISA-STIG-RHEL-06-000247 |
| 100 | ···· | 100 | ···· |
| 101 | ····-·name:·Enable·service·crond | ||
| 102 | ······service: | ||
| 103 | ········name="{{item}}" | ||
| 104 | ········enabled="yes" | ||
| 105 | ········state="started" | ||
| 106 | ······with_items: | ||
| 107 | ········-·crond | ||
| 108 | ······tags: | ||
| 109 | ········-·service_crond_enabled | ||
| 110 | ········-·medium_severity | ||
| 111 | ········-·enable_strategy | ||
| 112 | ········-·low_complexity | ||
| 113 | ········-·low_disruption | ||
| 114 | ········-·CCE-27070-2 | ||
| 115 | ········-·NIST-800-53-CM-7 | ||
| 116 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 117 | ···· | ||
| 118 | ····-·name:·Disable·service·atd | ||
| 119 | ······service: | ||
| 120 | ········name="{{item}}" | ||
| 121 | ········enabled="no" | ||
| 122 | ········state="stopped" | ||
| 123 | ······register:·service_result | ||
| 124 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 125 | ······with_items: | ||
| 126 | ········-·atd | ||
| 127 | ······tags: | ||
| 128 | ········-·service_atd_disabled | ||
| 129 | ········-·unknown_severity | ||
| 130 | ········-·disable_strategy | ||
| 131 | ········-·low_complexity | ||
| 132 | ········-·low_disruption | ||
| 133 | ········-·CCE-27249-2 | ||
| 134 | ········-·NIST-800-53-CM-7 | ||
| 135 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 136 | ···· | ||
| 137 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 138 | ······package: | ||
| 139 | ········name="{{item}}" | ||
| 140 | ········state=absent | ||
| 141 | ······with_items: | ||
| 142 | ········-·xorg-x11-server-common | ||
| 143 | ······tags: | ||
| 144 | ········-·package_xorg-x11-server-common_removed | ||
| 145 | ········-·unknown_severity | ||
| 146 | ········-·disable_strategy | ||
| 147 | ········-·low_complexity | ||
| 148 | ········-·low_disruption | ||
| 149 | ········-·CCE-27198-1 | ||
| 150 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 151 | ···· | ||
| 152 | ····-·name:·Ensure·rsh-server·is·removed | 101 | ····-·name:·Ensure·rsh-server·is·removed |
| 153 | ······package: | 102 | ······package: |
| 154 | ········name="{{item}}" | 103 | ········name="{{item}}" |
| 155 | ········state=absent | 104 | ········state=absent |
| 156 | ······with_items: | 105 | ······with_items: |
| 157 | ········-·rsh-server | 106 | ········-·rsh-server |
| 158 | ······tags: | 107 | ······tags: |
| Offset 307, 14 lines modified | Offset 256, 81 lines modified | ||
| 307 | ········-·disable_strategy | 256 | ········-·disable_strategy |
| 308 | ········-·low_complexity | 257 | ········-·low_complexity |
| 309 | ········-·low_disruption | 258 | ········-·low_disruption |
| Max diff block lines reached; 126814/131492 bytes (96.44%) of diff not shown. | |||
| Offset 35, 29 lines modified | Offset 35, 29 lines modified | ||
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 | ||
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_ | 49 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 51 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·12 | 54 | ······var_accounts_password_minlen_login_defs:·12 |
| 55 | ······var_accounts_password_warn_age_login_defs:·14 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·60 | 55 | ······var_accounts_maximum_age_login_defs:·60 |
| 56 | ······var_accounts_password_warn_age_login_defs:·14 | ||
| 57 | ······var_account_disable_post_pw_expiration:·30 | 57 | ······var_account_disable_post_pw_expiration:·30 |
| 58 | ······var_password_pam_unix_remember:·24 | 58 | ······var_password_pam_unix_remember:·24 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·5 | 59 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| Offset 127, 47 lines modified | Offset 127, 14 lines modified | ||
| 127 | ········-·unknown_severity | 127 | ········-·unknown_severity |
| 128 | ········-·disable_strategy | 128 | ········-·disable_strategy |
| 129 | ········-·low_complexity | 129 | ········-·low_complexity |
| 130 | ········-·low_disruption | 130 | ········-·low_disruption |
| 131 | ········-·CCE-27133-8 | 131 | ········-·CCE-27133-8 |
| 132 | ········-·NIST-800-53-CM-7 | 132 | ········-·NIST-800-53-CM-7 |
| 133 | ···· | 133 | ···· |
| 134 | ····-·name:·Ensure·dhcp·is·removed | ||
| 135 | ······package: | ||
| 136 | ········name="{{item}}" | ||
| 137 | ········state=absent | ||
| 138 | ······with_items: | ||
| 139 | ········-·dhcp | ||
| 140 | ······tags: | ||
| 141 | ········-·package_dhcp_removed | ||
| 142 | ········-·medium_severity | ||
| 143 | ········-·disable_strategy | ||
| 144 | ········-·low_complexity | ||
| 145 | ········-·low_disruption | ||
| 146 | ········-·CCE-27120-5 | ||
| 147 | ········-·NIST-800-53-CM-7 | ||
| 148 | ···· | ||
| 149 | ····-·name:·Disable·service·dhcpd | ||
| 150 | ······service: | ||
| 151 | ········name="{{item}}" | ||
| 152 | ········enabled="no" | ||
| 153 | ········state="stopped" | ||
| 154 | ······register:·service_result | ||
| 155 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 156 | ······with_items: | ||
| 157 | ········-·dhcpd | ||
| 158 | ······tags: | ||
| 159 | ········-·service_dhcpd_disabled | ||
| 160 | ········-·medium_severity | ||
| 161 | ········-·disable_strategy | ||
| 162 | ········-·low_complexity | ||
| 163 | ········-·low_disruption | ||
| 164 | ········-·CCE-27074-4 | ||
| 165 | ········-·NIST-800-53-CM-7 | ||
| 166 | ···· | ||
| 167 | ····-·name:·Enable·service·ntpd | 134 | ····-·name:·Enable·service·ntpd |
| 168 | ······service: | 135 | ······service: |
| 169 | ········name="{{item}}" | 136 | ········name="{{item}}" |
| 170 | ········enabled="yes" | 137 | ········enabled="yes" |
| 171 | ········state="started" | 138 | ········state="started" |
| 172 | ······with_items: | 139 | ······with_items: |
| 173 | ········-·ntpd | 140 | ········-·ntpd |
| Offset 209, 50 lines modified | Offset 176, 14 lines modified | ||
| 209 | ········-·service_snmpd_disabled | 176 | ········-·service_snmpd_disabled |
| 210 | ········-·unknown_severity | 177 | ········-·unknown_severity |
| 211 | ········-·disable_strategy | 178 | ········-·disable_strategy |
| 212 | ········-·low_complexity | 179 | ········-·low_complexity |
| 213 | ········-·low_disruption | 180 | ········-·low_disruption |
| 214 | ········-·CCE-26906-8 | 181 | ········-·CCE-26906-8 |
| 215 | ···· | 182 | ···· |
| 216 | ····-·name:·Enable·service·crond | ||
| 217 | ······service: | ||
| 218 | ········name="{{item}}" | ||
| 219 | ········enabled="yes" | ||
| 220 | ········state="started" | ||
| 221 | ······with_items: | ||
| 222 | ········-·crond | ||
| 223 | ······tags: | ||
| 224 | ········-·service_crond_enabled | ||
| 225 | ········-·medium_severity | ||
| 226 | ········-·enable_strategy | ||
| 227 | ········-·low_complexity | ||
| 228 | ········-·low_disruption | ||
| 229 | ········-·CCE-27070-2 | ||
| 230 | ········-·NIST-800-53-CM-7 | ||
| 231 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 232 | ···· | ||
| 233 | ····-·name:·Disable·service·atd | ||
| 234 | ······service: | ||
| 235 | ········name="{{item}}" | ||
| 236 | ········enabled="no" | ||
| 237 | ········state="stopped" | ||
| 238 | ······register:·service_result | ||
| 239 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 240 | ······with_items: | ||
| 241 | ········-·atd | ||
| 242 | ······tags: | ||
| 243 | ········-·service_atd_disabled | ||
| 244 | ········-·unknown_severity | ||
| 245 | ········-·disable_strategy | ||
| 246 | ········-·low_complexity | ||
| 247 | ········-·low_disruption | ||
| 248 | ········-·CCE-27249-2 | ||
| 249 | ········-·NIST-800-53-CM-7 | ||
| 250 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 251 | ···· | ||
| 252 | ····-·name:·Ensure·rsh-server·is·removed | 183 | ····-·name:·Ensure·rsh-server·is·removed |
| 253 | ······package: | 184 | ······package: |
| 254 | ········name="{{item}}" | 185 | ········name="{{item}}" |
| Max diff block lines reached; 133839/138029 bytes (96.96%) of diff not shown. | |||
| Offset 46, 25 lines modified | Offset 46, 25 lines modified | ||
| 46 | ······sshd_idle_timeout_value:·7200 | 46 | ······sshd_idle_timeout_value:·7200 |
| 47 | ······rsyslog_remote_loghost_address:·logcollector | 47 | ······rsyslog_remote_loghost_address:·logcollector |
| 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 53 | ······sysctl_net_ipv4_icmp_ | 53 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_ | 57 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 58 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 59 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 58 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 60 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 59 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 61 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 60 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 62 | ······sysctl_net_ipv4_ | 61 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 63 | ······sysctl_net_ipv4_c | 62 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 63 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 64 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 | 64 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 65 | ······var_selinux_policy_name:·targeted | 65 | ······var_selinux_policy_name:·targeted |
| 66 | ······var_selinux_state:·enforcing | 66 | ······var_selinux_state:·enforcing |
| 67 | ······var_accounts_password_warn_age_login_defs:·7 | 67 | ······var_accounts_password_warn_age_login_defs:·7 |
| 68 | ······var_accounts_minimum_age_login_defs:·7 | 68 | ······var_accounts_minimum_age_login_defs:·7 |
| 69 | ······var_accounts_maximum_age_login_defs:·90 | 69 | ······var_accounts_maximum_age_login_defs:·90 |
| 70 | ······var_account_disable_post_pw_expiration:·30 | 70 | ······var_account_disable_post_pw_expiration:·30 |
| Offset 77, 16 lines modified | Offset 77, 16 lines modified | ||
| 77 | ······var_password_pam_lcredit:·-1 | 77 | ······var_password_pam_lcredit:·-1 |
| 78 | ······var_password_pam_ucredit:·-1 | 78 | ······var_password_pam_ucredit:·-1 |
| 79 | ······var_password_pam_retry:·1 | 79 | ······var_password_pam_retry:·1 |
| 80 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 80 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 81 | ······var_removable_partition:·/dev/cdrom | 81 | ······var_removable_partition:·/dev/cdrom |
| 82 | ······var_removable_partition:·/dev/cdrom | 82 | ······var_removable_partition:·/dev/cdrom |
| 83 | ······var_removable_partition:·/dev/cdrom | 83 | ······var_removable_partition:·/dev/cdrom |
| 84 | ······var_auditd_action_mail_acct:·root | ||
| 85 | ······var_auditd_max_log_file:·6 | 84 | ······var_auditd_max_log_file:·6 |
| 85 | ······var_auditd_action_mail_acct:·root | ||
| 86 | ······var_auditd_admin_space_left_action:·single | 86 | ······var_auditd_admin_space_left_action:·single |
| 87 | ······var_auditd_max_log_file_action:·rotate | 87 | ······var_auditd_max_log_file_action:·rotate |
| 88 | ···tasks: | 88 | ···tasks: |
| 89 | ····-·name:·Ensure·rsh·is·removed | 89 | ····-·name:·Ensure·rsh·is·removed |
| 90 | ······package: | 90 | ······package: |
| 91 | ········name="{{item}}" | 91 | ········name="{{item}}" |
| 92 | ········state=absent | 92 | ········state=absent |
| Offset 119, 54 lines modified | Offset 119, 54 lines modified | ||
| 119 | ········-·CCE-27336-7 | 119 | ········-·CCE-27336-7 |
| 120 | ········-·NIST-800-53-AC-17(8) | 120 | ········-·NIST-800-53-AC-17(8) |
| 121 | ········-·NIST-800-53-CM-7 | 121 | ········-·NIST-800-53-CM-7 |
| 122 | ········-·NIST-800-53-IA-5(1)(c) | 122 | ········-·NIST-800-53-IA-5(1)(c) |
| 123 | ········-·NIST-800-171-3.1.13 | 123 | ········-·NIST-800-171-3.1.13 |
| 124 | ········-·NIST-800-171-3.4.7 | 124 | ········-·NIST-800-171-3.4.7 |
| 125 | ···· | 125 | ···· |
| 126 | ····-·name:·Disable·service·r | 126 | ····-·name:·Disable·service·rsh |
| 127 | ······service: | 127 | ······service: |
| 128 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 129 | ········enabled="no" | 129 | ········enabled="no" |
| 130 | ········state="stopped" | 130 | ········state="stopped" |
| 131 | ······register:·service_result | 131 | ······register:·service_result |
| 132 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 132 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 133 | ······with_items: | 133 | ······with_items: |
| 134 | ········-·r | 134 | ········-·rsh |
| 135 | ······tags: | 135 | ······tags: |
| 136 | ········-·service_r | 136 | ········-·service_rsh_disabled |
| 137 | ········-·high_severity | 137 | ········-·high_severity |
| 138 | ········-·disable_strategy | 138 | ········-·disable_strategy |
| 139 | ········-·low_complexity | 139 | ········-·low_complexity |
| 140 | ········-·low_disruption | 140 | ········-·low_disruption |
| 141 | ········-·CCE-27 | 141 | ········-·CCE-27337-5 |
| 142 | ········-·NIST-800-53-AC-17(8) | 142 | ········-·NIST-800-53-AC-17(8) |
| 143 | ········-·NIST-800-53-CM-7 | 143 | ········-·NIST-800-53-CM-7 |
| 144 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 144 | ········-·NIST-800-171-3.1.13 | 145 | ········-·NIST-800-171-3.1.13 |
| 145 | ········-·NIST-800-171-3.4.7 | 146 | ········-·NIST-800-171-3.4.7 |
| 146 | ···· | 147 | ···· |
| 147 | ····-·name:·Disable·service·r | 148 | ····-·name:·Disable·service·rexec |
| 148 | ······service: | 149 | ······service: |
| 149 | ········name="{{item}}" | 150 | ········name="{{item}}" |
| 150 | ········enabled="no" | 151 | ········enabled="no" |
| 151 | ········state="stopped" | 152 | ········state="stopped" |
| 152 | ······register:·service_result | 153 | ······register:·service_result |
| 153 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 154 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 154 | ······with_items: | 155 | ······with_items: |
| 155 | ········-·r | 156 | ········-·rexec |
| 156 | ······tags: | 157 | ······tags: |
| 157 | ········-·service_r | 158 | ········-·service_rexec_disabled |
| 158 | ········-·high_severity | 159 | ········-·high_severity |
| 159 | ········-·disable_strategy | 160 | ········-·disable_strategy |
| 160 | ········-·low_complexity | 161 | ········-·low_complexity |
| 161 | ········-·low_disruption | 162 | ········-·low_disruption |
| 162 | ········-·CCE-27 | 163 | ········-·CCE-27408-4 |
| 163 | ········-·NIST-800-53-AC-17(8) | 164 | ········-·NIST-800-53-AC-17(8) |
| 164 | ········-·NIST-800-53-CM-7 | 165 | ········-·NIST-800-53-CM-7 |
| 165 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 166 | ········-·NIST-800-171-3.1.13 | 166 | ········-·NIST-800-171-3.1.13 |
| 167 | ········-·NIST-800-171-3.4.7 | 167 | ········-·NIST-800-171-3.4.7 |
| 168 | ···· | 168 | ···· |
| 169 | ····-·block: | 169 | ····-·block: |
| 170 | ········-·name:·"Detect·shosts.equiv·Files·on·the·System" | 170 | ········-·name:·"Detect·shosts.equiv·Files·on·the·System" |
| 171 | ··········find: | 171 | ··········find: |
| 172 | ··············paths:·/ | 172 | ··············paths:·/ |
| Offset 274, 30 lines modified | Offset 274, 14 lines modified | ||
| 274 | ········-·disable_strategy | 274 | ········-·disable_strategy |
| 275 | ········-·low_complexity | 275 | ········-·low_complexity |
| 276 | ········-·low_disruption | 276 | ········-·low_disruption |
| 277 | ········-·CCE-80212-4 | 277 | ········-·CCE-80212-4 |
| 278 | ········-·NIST-800-53-AC-17(8) | 278 | ········-·NIST-800-53-AC-17(8) |
| 279 | ········-·NIST-800-53-CM-7 | 279 | ········-·NIST-800-53-CM-7 |
| 280 | ···· | 280 | ···· |
| 281 | ····-·name:·Ensure·tcp_wrappers·is·installed | ||
| 282 | ······package: | ||
| 283 | ········name="{{item}}" | ||
| 284 | ········state=present | ||
| 285 | ······with_items: | ||
| 286 | ········-·tcp_wrappers | ||
| 287 | ······tags: | ||
| 288 | ········-·package_tcp_wrappers_installed | ||
| 289 | ········-·medium_severity | ||
| 290 | ········-·enable_strategy | ||
| 291 | ········-·low_complexity | ||
| 292 | ········-·low_disruption | ||
| 293 | ········-·CCE-27361-5 | ||
| 294 | ········-·NIST-800-53-CM-6(b) | ||
| 295 | ········-·DISA-STIG-RHEL-07-TBD | ||
| 296 | ···· | ||
| 297 | ····-·name:·Disable·service·xinetd | 281 | ····-·name:·Disable·service·xinetd |
| 298 | ······service: | 282 | ······service: |
| 299 | ········name="{{item}}" | 283 | ········name="{{item}}" |
| Max diff block lines reached; 66690/72411 bytes (92.10%) of diff not shown. | |||
| Offset 36, 25 lines modified | Offset 36, 25 lines modified | ||
| 36 | ·········msg:·> | 36 | ·········msg:·> |
| 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·1800 | 40 | ······sshd_idle_timeout_value:·1800 |
| 41 | ······sshd_listening_port:·22 | 41 | ······sshd_listening_port:·22 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 43 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 44 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······var_accounts_minimum_age_login_defs:·1 | 47 | ······var_accounts_minimum_age_login_defs:·1 |
| 48 | ······var_account_disable_post_pw_expiration:·0 | 48 | ······var_account_disable_post_pw_expiration:·0 |
| 49 | ······var_password_pam_minlen:·12 | 49 | ······var_password_pam_minlen:·12 |
| 50 | ······var_password_pam_difok:·6 | 50 | ······var_password_pam_difok:·6 |
| 51 | ······var_accounts_max_concurrent_login_sessions:·3 | 51 | ······var_accounts_max_concurrent_login_sessions:·3 |
| 52 | ······var_auditd_action_mail_acct:·admin | ||
| 53 | ······var_auditd_max_log_file:·1 | 52 | ······var_auditd_max_log_file:·1 |
| 53 | ······var_auditd_action_mail_acct:·admin | ||
| 54 | ······var_auditd_space_left_action:·suspend | 54 | ······var_auditd_space_left_action:·suspend |
| 55 | ······var_auditd_admin_space_left_action:·suspend | 55 | ······var_auditd_admin_space_left_action:·suspend |
| 56 | ······var_auditd_max_log_file_action:·rotate | 56 | ······var_auditd_max_log_file_action:·rotate |
| 57 | ······inactivity_timeout_value:·1800 | 57 | ······inactivity_timeout_value:·1800 |
| 58 | ···tasks: | 58 | ···tasks: |
| 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords | 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords |
| 60 | ······lineinfile: | 60 | ······lineinfile: |
| Offset 368, 100 lines modified | Offset 368, 100 lines modified | ||
| 368 | ········-·NIST-800-53-SC-7 | 368 | ········-·NIST-800-53-SC-7 |
| 369 | ········-·NIST-800-171-3.1.20 | 369 | ········-·NIST-800-171-3.1.20 |
| 370 | ········-·CJIS-5.10.1.1 | 370 | ········-·CJIS-5.10.1.1 |
| 371 | ········-·DISA-STIG-RHEL-07-040620 | 371 | ········-·DISA-STIG-RHEL-07-040620 |
| 372 | ···· | 372 | ···· |
| 373 | ···· | 373 | ···· |
| 374 | ···· | 374 | ···· |
| 375 | ····-·name:·Ensure·sysctl·net.ipv4. | 375 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_redirects·is·set |
| 376 | ······sysctl: | 376 | ······sysctl: |
| 377 | ········name:·net.ipv4. | 377 | ········name:·net.ipv4.conf.default.accept_redirects |
| 378 | ········value:·"{{·sysctl_net_ipv4_ | 378 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_redirects_value·}}" |
| 379 | ········state:·present | 379 | ········state:·present |
| 380 | ········reload:·yes | 380 | ········reload:·yes |
| 381 | ······tags: | 381 | ······tags: |
| 382 | ········-·sysctl_net_ipv4_ | 382 | ········-·sysctl_net_ipv4_conf_default_accept_redirects |
| 383 | ········-·medium_severity | 383 | ········-·medium_severity |
| 384 | ········-·disable_strategy | 384 | ········-·disable_strategy |
| 385 | ········-·low_complexity | 385 | ········-·low_complexity |
| 386 | ········-·medium_disruption | 386 | ········-·medium_disruption |
| 387 | ········-·CCE-8016 | 387 | ········-·CCE-80163-9 |
| 388 | ········-·NIST-800-53-AC-4 | 388 | ········-·NIST-800-53-AC-4 |
| 389 | ········-·NIST-800-53-CM-7 | 389 | ········-·NIST-800-53-CM-7 |
| 390 | ········-·NIST-800-53-SC-5 | 390 | ········-·NIST-800-53-SC-5 |
| 391 | ········-·NIST-800-53-SC-7 | ||
| 391 | ········-·NIST-800-171-3.1.20 | 392 | ········-·NIST-800-171-3.1.20 |
| 392 | ········-·CJIS-5.10.1.1 | 393 | ········-·CJIS-5.10.1.1 |
| 393 | ········-·DISA-STIG-RHEL-07-0406 | 394 | ········-·DISA-STIG-RHEL-07-040640 |
| 394 | ···· | 395 | ···· |
| 395 | ···· | 396 | ···· |
| 396 | ···· | 397 | ···· |
| 397 | ····-·name:·Ensure·sysctl·net.ipv4.conf. | 398 | ····-·name:·Ensure·sysctl·net.ipv4.conf.all.accept_redirects·is·set |
| 398 | ······sysctl: | 399 | ······sysctl: |
| 399 | ········name:·net.ipv4.conf. | 400 | ········name:·net.ipv4.conf.all.accept_redirects |
| 400 | ········value:·"{{·sysctl_net_ipv4_conf_ | 401 | ········value:·"{{·sysctl_net_ipv4_conf_all_accept_redirects_value·}}" |
| 401 | ········state:·present | 402 | ········state:·present |
| 402 | ········reload:·yes | 403 | ········reload:·yes |
| 403 | ······tags: | 404 | ······tags: |
| 404 | ········-·sysctl_net_ipv4_conf_ | 405 | ········-·sysctl_net_ipv4_conf_all_accept_redirects |
| 405 | ········-·medium_severity | 406 | ········-·medium_severity |
| 406 | ········-·disable_strategy | 407 | ········-·disable_strategy |
| 407 | ········-·low_complexity | 408 | ········-·low_complexity |
| 408 | ········-·medium_disruption | 409 | ········-·medium_disruption |
| 409 | ········-·CCE-801 | 410 | ········-·CCE-80158-9 |
| 410 | ········-·NIST-800-53- | 411 | ········-·NIST-800-53-CM-6(d) |
| 411 | ········-·NIST-800-53-CM-7 | 412 | ········-·NIST-800-53-CM-7 |
| 412 | ········-·NIST-800-53-SC-5 | 413 | ········-·NIST-800-53-SC-5 |
| 413 | ········-·NIST-800-53-SC-7 | ||
| 414 | ········-·NIST-800-171-3.1.20 | 414 | ········-·NIST-800-171-3.1.20 |
| 415 | ········-·CJIS-5.10.1.1 | 415 | ········-·CJIS-5.10.1.1 |
| 416 | ········-·DISA-STIG-RHEL-07-04064 | 416 | ········-·DISA-STIG-RHEL-07-040641 |
| 417 | ···· | 417 | ···· |
| 418 | ···· | 418 | ···· |
| 419 | ···· | 419 | ···· |
| 420 | ····-·name:·Ensure·sysctl·net.ipv4. | 420 | ····-·name:·Ensure·sysctl·net.ipv4.icmp_echo_ignore_broadcasts·is·set |
| 421 | ······sysctl: | 421 | ······sysctl: |
| 422 | ········name:·net.ipv4. | 422 | ········name:·net.ipv4.icmp_echo_ignore_broadcasts |
| 423 | ········value:·"{{·sysctl_net_ipv4_ | 423 | ········value:·"{{·sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value·}}" |
| 424 | ········state:·present | 424 | ········state:·present |
| 425 | ········reload:·yes | 425 | ········reload:·yes |
| 426 | ······tags: | 426 | ······tags: |
| 427 | ········-·sysctl_net_ipv4_ | 427 | ········-·sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
| 428 | ········-·medium_severity | 428 | ········-·medium_severity |
| 429 | ········-·disable_strategy | 429 | ········-·disable_strategy |
| 430 | ········-·low_complexity | 430 | ········-·low_complexity |
| 431 | ········-·medium_disruption | 431 | ········-·medium_disruption |
| 432 | ········-·CCE- | 432 | ········-·CCE-80165-4 |
| 433 | ········-·NIST-800-53-AC-4 | 433 | ········-·NIST-800-53-AC-4 |
| 434 | ········-·NIST-800-53- | 434 | ········-·NIST-800-53-CM-7 |
| 435 | ········-·NIST-800-53-SC-5 | 435 | ········-·NIST-800-53-SC-5 |
| 436 | ········-·NIST-800-53-SC-5(3) | ||
| 437 | ········-·NIST-800-171-3.1.20 | 436 | ········-·NIST-800-171-3.1.20 |
| 438 | ········-·CJIS-5.10.1.1 | 437 | ········-·CJIS-5.10.1.1 |
| 438 | ········-·DISA-STIG-RHEL-07-040630 | ||
| 439 | ···· | 439 | ···· |
| 440 | ···· | 440 | ···· |
| 441 | ···· | 441 | ···· |
| 442 | ····-·name:·Ensure·sysctl·net.ipv4. | 442 | ····-·name:·Ensure·sysctl·net.ipv4.tcp_syncookies·is·set |
| 443 | ······sysctl: | 443 | ······sysctl: |
| 444 | ········name:·net.ipv4. | 444 | ········name:·net.ipv4.tcp_syncookies |
| 445 | ········value:·"{{·sysctl_net_ipv4_ | 445 | ········value:·"{{·sysctl_net_ipv4_tcp_syncookies_value·}}" |
| 446 | ········state:·present | 446 | ········state:·present |
| 447 | ········reload:·yes | 447 | ········reload:·yes |
| 448 | ······tags: | 448 | ······tags: |
| 449 | ········-·sysctl_net_ipv4_ | 449 | ········-·sysctl_net_ipv4_tcp_syncookies |
| 450 | ········-·medium_severity | 450 | ········-·medium_severity |
| 451 | ········-·disable_strategy | 451 | ········-·disable_strategy |
| 452 | ········-·low_complexity | 452 | ········-·low_complexity |
| 453 | ········-·medium_disruption | 453 | ········-·medium_disruption |
| 454 | ········-·CCE- | 454 | ········-·CCE-27495-1 |
| 455 | ········-·NIST-800-53- | 455 | ········-·NIST-800-53-AC-4 |
| 456 | ········-·NIST-800-53-C | 456 | ········-·NIST-800-53-SC-5(1)(2) |
| 457 | ········-·NIST-800-53-SC-5 | 457 | ········-·NIST-800-53-SC-5(2) |
| 458 | ········-·NIST-800-53-SC-5(3) | ||
| 458 | ········-·NIST-800-171-3.1.20 | 459 | ········-·NIST-800-171-3.1.20 |
| 459 | ········-·CJIS-5.10.1.1 | 460 | ········-·CJIS-5.10.1.1 |
| 460 | ········-·DISA-STIG-RHEL-07-040641 | ||
| 461 | ···· | 461 | ···· |
| 462 | ····-·name:·Ensure·sysctl·net.ipv4.conf.all.send_redirects·is·set·to·0 | 462 | ····-·name:·Ensure·sysctl·net.ipv4.conf.all.send_redirects·is·set·to·0 |
| Max diff block lines reached; 34274/39699 bytes (86.33%) of diff not shown. | |||
| Offset 81, 54 lines modified | Offset 81, 54 lines modified | ||
| 81 | ········-·CCE-27336-7 | 81 | ········-·CCE-27336-7 |
| 82 | ········-·NIST-800-53-AC-17(8) | 82 | ········-·NIST-800-53-AC-17(8) |
| 83 | ········-·NIST-800-53-CM-7 | 83 | ········-·NIST-800-53-CM-7 |
| 84 | ········-·NIST-800-53-IA-5(1)(c) | 84 | ········-·NIST-800-53-IA-5(1)(c) |
| 85 | ········-·NIST-800-171-3.1.13 | 85 | ········-·NIST-800-171-3.1.13 |
| 86 | ········-·NIST-800-171-3.4.7 | 86 | ········-·NIST-800-171-3.4.7 |
| 87 | ···· | 87 | ···· |
| 88 | ····-·name:·Disable·service·r | 88 | ····-·name:·Disable·service·rsh |
| 89 | ······service: | 89 | ······service: |
| 90 | ········name="{{item}}" | 90 | ········name="{{item}}" |
| 91 | ········enabled="no" | 91 | ········enabled="no" |
| 92 | ········state="stopped" | 92 | ········state="stopped" |
| 93 | ······register:·service_result | 93 | ······register:·service_result |
| 94 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 94 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 95 | ······with_items: | 95 | ······with_items: |
| 96 | ········-·r | 96 | ········-·rsh |
| 97 | ······tags: | 97 | ······tags: |
| 98 | ········-·service_r | 98 | ········-·service_rsh_disabled |
| 99 | ········-·high_severity | 99 | ········-·high_severity |
| 100 | ········-·disable_strategy | 100 | ········-·disable_strategy |
| 101 | ········-·low_complexity | 101 | ········-·low_complexity |
| 102 | ········-·low_disruption | 102 | ········-·low_disruption |
| 103 | ········-·CCE-27 | 103 | ········-·CCE-27337-5 |
| 104 | ········-·NIST-800-53-AC-17(8) | 104 | ········-·NIST-800-53-AC-17(8) |
| 105 | ········-·NIST-800-53-CM-7 | 105 | ········-·NIST-800-53-CM-7 |
| 106 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 106 | ········-·NIST-800-171-3.1.13 | 107 | ········-·NIST-800-171-3.1.13 |
| 107 | ········-·NIST-800-171-3.4.7 | 108 | ········-·NIST-800-171-3.4.7 |
| 108 | ···· | 109 | ···· |
| 109 | ····-·name:·Disable·service·r | 110 | ····-·name:·Disable·service·rexec |
| 110 | ······service: | 111 | ······service: |
| 111 | ········name="{{item}}" | 112 | ········name="{{item}}" |
| 112 | ········enabled="no" | 113 | ········enabled="no" |
| 113 | ········state="stopped" | 114 | ········state="stopped" |
| 114 | ······register:·service_result | 115 | ······register:·service_result |
| 115 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 116 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 116 | ······with_items: | 117 | ······with_items: |
| 117 | ········-·r | 118 | ········-·rexec |
| 118 | ······tags: | 119 | ······tags: |
| 119 | ········-·service_r | 120 | ········-·service_rexec_disabled |
| 120 | ········-·high_severity | 121 | ········-·high_severity |
| 121 | ········-·disable_strategy | 122 | ········-·disable_strategy |
| 122 | ········-·low_complexity | 123 | ········-·low_complexity |
| 123 | ········-·low_disruption | 124 | ········-·low_disruption |
| 124 | ········-·CCE-27 | 125 | ········-·CCE-27408-4 |
| 125 | ········-·NIST-800-53-AC-17(8) | 126 | ········-·NIST-800-53-AC-17(8) |
| 126 | ········-·NIST-800-53-CM-7 | 127 | ········-·NIST-800-53-CM-7 |
| 127 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 128 | ········-·NIST-800-171-3.1.13 | 128 | ········-·NIST-800-171-3.1.13 |
| 129 | ········-·NIST-800-171-3.4.7 | 129 | ········-·NIST-800-171-3.4.7 |
| 130 | ···· | 130 | ···· |
| 131 | ····-·name:·Ensure·rsh-server·is·removed | 131 | ····-·name:·Ensure·rsh-server·is·removed |
| 132 | ······package: | 132 | ······package: |
| 133 | ········name="{{item}}" | 133 | ········name="{{item}}" |
| 134 | ········state=absent | 134 | ········state=absent |
| Offset 899, 30 lines modified | Offset 899, 14 lines modified | ||
| 899 | ········-·NIST-800-53-AC-6 | 899 | ········-·NIST-800-53-AC-6 |
| 900 | ········-·NIST-800-53-AU-9 | 900 | ········-·NIST-800-53-AU-9 |
| 901 | ········-·NIST-800-53-SI-6(a) | 901 | ········-·NIST-800-53-SI-6(a) |
| 902 | ········-·NIST-800-171-3.1.2 | 902 | ········-·NIST-800-171-3.1.2 |
| 903 | ········-·NIST-800-171-3.7.2 | 903 | ········-·NIST-800-171-3.7.2 |
| 904 | ········-·DISA-STIG-RHEL-07-020210 | 904 | ········-·DISA-STIG-RHEL-07-020210 |
| 905 | ···· | 905 | ···· |
| 906 | ····-·name:·"Restrict·Serial·Port·Root·Logins" | ||
| 907 | ······lineinfile: | ||
| 908 | ········dest:·/etc/securetty | ||
| 909 | ········regexp:·'ttyS[0-9]' | ||
| 910 | ········state:·absent | ||
| 911 | ······tags: | ||
| 912 | ········-·restrict_serial_port_logins | ||
| 913 | ········-·unknown_severity | ||
| 914 | ········-·restrict_strategy | ||
| 915 | ········-·low_complexity | ||
| 916 | ········-·low_disruption | ||
| 917 | ········-·CCE-27268-2 | ||
| 918 | ········-·NIST-800-53-AC-6(2) | ||
| 919 | ········-·NIST-800-171-3.1.1 | ||
| 920 | ········-·NIST-800-171-3.1.5 | ||
| 921 | ···· | ||
| 922 | ····-·name:·"Direct·root·Logins·Not·Allowed" | 906 | ····-·name:·"Direct·root·Logins·Not·Allowed" |
| 923 | ······shell:·echo·>·/etc/securetty | 907 | ······shell:·echo·>·/etc/securetty |
| 924 | ······tags: | 908 | ······tags: |
| 925 | ········-·no_direct_root_logins | 909 | ········-·no_direct_root_logins |
| 926 | ········-·medium_severity | 910 | ········-·medium_severity |
| 927 | ········-·restrict_strategy | 911 | ········-·restrict_strategy |
| 928 | ········-·low_complexity | 912 | ········-·low_complexity |
| Offset 944, 14 lines modified | Offset 928, 30 lines modified | ||
| 944 | ········-·low_complexity | 928 | ········-·low_complexity |
| 945 | ········-·low_disruption | 929 | ········-·low_disruption |
| 946 | ········-·CCE-27318-5 | 930 | ········-·CCE-27318-5 |
| 947 | ········-·NIST-800-53-AC-6(2) | 931 | ········-·NIST-800-53-AC-6(2) |
| 948 | ········-·NIST-800-171-3.1.1 | 932 | ········-·NIST-800-171-3.1.1 |
| 949 | ········-·NIST-800-171-3.1.5 | 933 | ········-·NIST-800-171-3.1.5 |
| 950 | ···· | 934 | ···· |
| 935 | ····-·name:·"Restrict·Serial·Port·Root·Logins" | ||
| 936 | ······lineinfile: | ||
| 937 | ········dest:·/etc/securetty | ||
| 938 | ········regexp:·'ttyS[0-9]' | ||
| 939 | ········state:·absent | ||
| 940 | ······tags: | ||
| 941 | ········-·restrict_serial_port_logins | ||
| 942 | ········-·unknown_severity | ||
| 943 | ········-·restrict_strategy | ||
| 944 | ········-·low_complexity | ||
| 945 | ········-·low_disruption | ||
| 946 | ········-·CCE-27268-2 | ||
| 947 | ········-·NIST-800-53-AC-6(2) | ||
| 948 | ········-·NIST-800-171-3.1.1 | ||
| 949 | ········-·NIST-800-171-3.1.5 | ||
| 950 | ···· | ||
| 951 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" | 951 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" |
| 952 | ······replace: | 952 | ······replace: |
| 953 | ········dest:·/etc/pam.d/system-auth | 953 | ········dest:·/etc/pam.d/system-auth |
| 954 | ········follow:·yes | 954 | ········follow:·yes |
| 955 | ········regexp:·'nullok' | 955 | ········regexp:·'nullok' |
| 956 | ······tags: | 956 | ······tags: |
| 957 | ········-·no_empty_passwords | 957 | ········-·no_empty_passwords |
| Offset 1025, 59 lines modified | Offset 1025, 14 lines modified | ||
| 1025 | ········-·medium_severity | 1025 | ········-·medium_severity |
| 1026 | ········-·disable_strategy | 1026 | ········-·disable_strategy |
| 1027 | ········-·low_complexity | 1027 | ········-·low_complexity |
| 1028 | ········-·low_disruption | 1028 | ········-·low_disruption |
| 1029 | ········-·CCE-80206-6 | 1029 | ········-·CCE-80206-6 |
| 1030 | ········-·NIST-800-171-3.4.5 | 1030 | ········-·NIST-800-171-3.4.5 |
| 1031 | ···· | 1031 | ···· |
| 1032 | ····-·name:·Ensure·kernel·module·'usb-storage'·is·disabled | ||
| 1033 | ······lineinfile: | ||
| Max diff block lines reached; 61653/66721 bytes (92.40%) of diff not shown. | |||
| Offset 56, 86 lines modified | Offset 56, 86 lines modified | ||
| 56 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 56 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 57 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | 57 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 |
| 58 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 58 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 59 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 59 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 60 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 60 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 61 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 61 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 62 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 62 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 63 | ······sysctl_net_ipv4_icmp_ | 63 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 64 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 64 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 65 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 65 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 66 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 66 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 67 | ······sysctl_net_ipv4_conf_ | 67 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 68 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 69 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 68 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 70 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 69 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 71 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 70 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 72 | ······sysctl_net_ipv4_ | 71 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 73 | ······sysctl_net_ipv4_c | 72 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 73 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 74 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 | 74 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 75 | ······var_ssh_sysadm_login:·false | 75 | ······var_ssh_sysadm_login:·false |
| 76 | ······var_login_console_enabled:·true | ||
| 77 | ······var_auditadm_exec_content:·true | 76 | ······var_auditadm_exec_content:·true |
| 78 | ······var_selinuxuser_execstack:·true | 77 | ······var_selinuxuser_execstack:·true |
| 79 | ······var_gpg_web_anon_write:·false | ||
| 80 | ······var_mount_anyfile:·true | 78 | ······var_mount_anyfile:·true |
| 81 | ······var_se | 79 | ······var_selinuxuser_tcp_server:·false |
| 82 | ······var_daemons_use_tcp_wrapper:·false | 80 | ······var_daemons_use_tcp_wrapper:·false |
| 81 | ······var_cron_can_relabel:·false | ||
| 83 | ······var_user_exec_content:·true | 82 | ······var_user_exec_content:·true |
| 84 | ······var_deny_ptrace:·false | 83 | ······var_deny_ptrace:·false |
| 85 | ······var_ | 84 | ······var_secure_mode:·false |
| 85 | ······var_xdm_write_home:·false | ||
| 86 | ······var_xserver_object_manager:·false | 86 | ······var_xserver_object_manager:·false |
| 87 | ······var_xdm_sysadm_login:·false | 87 | ······var_xdm_sysadm_login:·false |
| 88 | ······var_selinuxuser_mysql_connect_enabled:·false | 88 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 89 | ······var_ssh_keysign:·false | ||
| 90 | ······var_xserver_execmem:·false | ||
| 91 | ······var_cron_userdomain_transition:·true | 89 | ······var_cron_userdomain_transition:·true |
| 92 | ······var_secure_mode_insmod:·false | ||
| 93 | ······var_xguest_mount_media:·true | 90 | ······var_xguest_mount_media:·true |
| 94 | ······var_selinuxuser_rw_noexattrfile:·true | 91 | ······var_selinuxuser_rw_noexattrfile:·true |
| 95 | ······var_deny_execmem:·false | 92 | ······var_deny_execmem:·false |
| 96 | ······var_ | 93 | ······var_gpg_web_anon_write:·false |
| 97 | ······var_secure_mode_policyload:·false | ||
| 98 | ······var_abrt_anon_write:·false | 94 | ······var_abrt_anon_write:·false |
| 99 | ······var_ | 95 | ······var_ssh_chroot_rw_homedirs:·false |
| 100 | ······var_logging_syslogd_use_tty:·true | 96 | ······var_logging_syslogd_use_tty:·true |
| 97 | ······var_login_console_enabled:·true | ||
| 101 | ······var_abrt_handle_event:·false | 98 | ······var_abrt_handle_event:·false |
| 99 | ······var_mock_enable_homedirs:·false | ||
| 102 | ······var_unconfined_login:·true | 100 | ······var_unconfined_login:·true |
| 101 | ······var_logging_syslogd_can_sendmail:·false | ||
| 103 | ······var_selinuxuser_postgresql_connect_enabled:·false | 102 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 104 | ······var_abrt_upload_watch_anon_write:·true | 103 | ······var_abrt_upload_watch_anon_write:·true |
| 105 | ······var_daemons_use_tty:·false | 104 | ······var_daemons_use_tty:·false |
| 106 | ······var_selinuxuser_tcp_server:·false | ||
| 107 | ······var_cron_can_relabel:·false | ||
| 108 | ······var_staff_exec_content:·true | ||
| 109 | ······var_selinuxuser_direct_dri_enabled:·true | 105 | ······var_selinuxuser_direct_dri_enabled:·true |
| 106 | ······var_xdm_bind_vnc_tcp_port:·false | ||
| 107 | ······var_xserver_execmem:·false | ||
| 110 | ······var_xserver_clients_write_xshm:·false | 108 | ······var_xserver_clients_write_xshm:·false |
| 111 | ······var_use_ecryptfs_home_dirs:·false | 109 | ······var_use_ecryptfs_home_dirs:·false |
| 112 | ······var_mock_enable_homedirs:·false | ||
| 113 | ······var_xguest_exec_content:·true | 110 | ······var_xguest_exec_content:·true |
| 114 | ······var_ | 111 | ······var_domain_kernel_load_modules:·false |
| 115 | ······var_ | 112 | ······var_ssh_keysign:·false |
| 116 | ······var_ | 113 | ······var_secure_mode_insmod:·false |
| 117 | ······var_selinuxuser_ | 114 | ······var_selinuxuser_execmod:·true |
| 115 | ······var_staff_exec_content:·true | ||
| 118 | ······var_mmap_low_allowed:·false | 116 | ······var_mmap_low_allowed:·false |
| 119 | ······var_selinuxuser_share_music:·false | 117 | ······var_selinuxuser_share_music:·false |
| 120 | ······var_ | 118 | ······var_domain_fd_use:·true |
| 119 | ······var_selinuxuser_udp_server:·false | ||
| 121 | ······var_cron_system_cronjob_use_shares:·false | 120 | ······var_cron_system_cronjob_use_shares:·false |
| 121 | ······var_logadm_exec_content:·true | ||
| 122 | ······var_xguest_connect_network:·true | 122 | ······var_xguest_connect_network:·true |
| 123 | ······var_xdm_write_home:·false | ||
| 124 | ······var_sysadm_exec_content:·true | 123 | ······var_sysadm_exec_content:·true |
| 125 | ······var_xguest_use_bluetooth:·true | 124 | ······var_xguest_use_bluetooth:·true |
| 126 | ······var_ | 125 | ······var_kerberos_enabled:·true |
| 127 | ······var_ | 126 | ······var_guest_exec_content:·true |
| 128 | ······var_daemons_dump_core:·false | 127 | ······var_daemons_dump_core:·false |
| 129 | ······var_xdm_exec_bootloader:·false | 128 | ······var_xdm_exec_bootloader:·false |
| 130 | ······var_fips_mode:·true | 129 | ······var_fips_mode:·true |
| 131 | ······var_polyinstantiation_enabled:·false | 130 | ······var_polyinstantiation_enabled:·false |
| 132 | ······var_domain_kernel_load_modules:·false | ||
| 133 | ······var_selinuxuser_use_ssh_chroot:·false | 131 | ······var_selinuxuser_use_ssh_chroot:·false |
| 134 | ······var_selinuxuser_ping:·true | 132 | ······var_selinuxuser_ping:·true |
| 133 | ······var_secure_mode_policyload:·false | ||
| 134 | ······var_selinuxuser_execheap:·false | ||
| 135 | ······var_secadm_exec_content:·true | 135 | ······var_secadm_exec_content:·true |
| 136 | ······var_selinux_policy_name:·targeted | 136 | ······var_selinux_policy_name:·targeted |
| 137 | ······var_selinux_state:·enforcing | 137 | ······var_selinux_state:·enforcing |
| 138 | ······var_accounts_password_minlen_login_defs:·6 | 138 | ······var_accounts_password_minlen_login_defs:·6 |
| 139 | ······var_accounts_password_warn_age_login_defs:·7 | 139 | ······var_accounts_password_warn_age_login_defs:·7 |
| 140 | ······var_accounts_minimum_age_login_defs:·7 | 140 | ······var_accounts_minimum_age_login_defs:·7 |
| 141 | ······var_accounts_maximum_age_login_defs:·60 | 141 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 155, 22 lines modified | Offset 155, 22 lines modified | ||
| 155 | ······var_password_pam_difok:·8 | 155 | ······var_password_pam_difok:·8 |
| 156 | ······var_password_pam_ocredit:·-1 | 156 | ······var_password_pam_ocredit:·-1 |
| 157 | ······var_password_pam_lcredit:·-1 | 157 | ······var_password_pam_lcredit:·-1 |
| 158 | ······var_password_pam_ucredit:·-1 | 158 | ······var_password_pam_ucredit:·-1 |
| 159 | ······var_password_pam_retry:·3 | 159 | ······var_password_pam_retry:·3 |
| 160 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 160 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 161 | ······var_accounts_user_umask:·077 | 161 | ······var_accounts_user_umask:·077 |
| 162 | ······var_accounts_tmout:·600 | ||
| 163 | ······var_accounts_fail_delay:·4 | 162 | ······var_accounts_fail_delay:·4 |
| 164 | ······var_accounts_max_concurrent_login_sessions:·10 | 163 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 164 | ······var_accounts_tmout:·600 | ||
| 165 | ······var_removable_partition:·/dev/cdrom | 165 | ······var_removable_partition:·/dev/cdrom |
| 166 | ······var_removable_partition:·/dev/cdrom | 166 | ······var_removable_partition:·/dev/cdrom |
| 167 | ······var_removable_partition:·/dev/cdrom | 167 | ······var_removable_partition:·/dev/cdrom |
| 168 | ······var_auditd_action_mail_acct:·root | ||
| 169 | ······var_auditd_max_log_file:·6 | 168 | ······var_auditd_max_log_file:·6 |
| 169 | ······var_auditd_action_mail_acct:·root | ||
| 170 | ······var_auditd_space_left_action:·email | 170 | ······var_auditd_space_left_action:·email |
| 171 | ······var_auditd_admin_space_left_action:·single | 171 | ······var_auditd_admin_space_left_action:·single |
| 172 | ······var_auditd_max_log_file_action:·rotate | 172 | ······var_auditd_max_log_file_action:·rotate |
| 173 | ······inactivity_timeout_value:·600 | 173 | ······inactivity_timeout_value:·600 |
| 174 | ···tasks: | 174 | ···tasks: |
| 175 | ····-·name:·Ensure·rsh·is·removed | 175 | ····-·name:·Ensure·rsh·is·removed |
| 176 | ······package: | 176 | ······package: |
| Offset 205, 54 lines modified | Offset 205, 54 lines modified | ||
| 205 | ········-·CCE-27336-7 | 205 | ········-·CCE-27336-7 |
| 206 | ········-·NIST-800-53-AC-17(8) | 206 | ········-·NIST-800-53-AC-17(8) |
| Max diff block lines reached; 130856/137699 bytes (95.03%) of diff not shown. | |||
| Offset 67, 86 lines modified | Offset 67, 86 lines modified | ||
| 67 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 67 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 68 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | 68 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 |
| 69 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 69 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 70 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 70 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 71 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 71 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 72 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 72 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 73 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 73 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 74 | ······sysctl_net_ipv4_icmp_ | 74 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 75 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 75 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 76 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 76 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 77 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 77 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 78 | ······sysctl_net_ipv4_conf_ | 78 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 79 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 80 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 79 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 81 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 80 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 82 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 81 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 83 | ······sysctl_net_ipv4_ | 82 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 84 | ······sysctl_net_ipv4_c | 83 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 84 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 85 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 | 85 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 86 | ······var_ssh_sysadm_login:·false | 86 | ······var_ssh_sysadm_login:·false |
| 87 | ······var_login_console_enabled:·true | ||
| 88 | ······var_auditadm_exec_content:·true | 87 | ······var_auditadm_exec_content:·true |
| 89 | ······var_selinuxuser_execstack:·true | 88 | ······var_selinuxuser_execstack:·true |
| 90 | ······var_gpg_web_anon_write:·false | ||
| 91 | ······var_mount_anyfile:·true | 89 | ······var_mount_anyfile:·true |
| 92 | ······var_se | 90 | ······var_selinuxuser_tcp_server:·false |
| 93 | ······var_daemons_use_tcp_wrapper:·false | 91 | ······var_daemons_use_tcp_wrapper:·false |
| 92 | ······var_cron_can_relabel:·false | ||
| 94 | ······var_user_exec_content:·true | 93 | ······var_user_exec_content:·true |
| 95 | ······var_deny_ptrace:·false | 94 | ······var_deny_ptrace:·false |
| 96 | ······var_ | 95 | ······var_secure_mode:·false |
| 96 | ······var_xdm_write_home:·false | ||
| 97 | ······var_xserver_object_manager:·false | 97 | ······var_xserver_object_manager:·false |
| 98 | ······var_xdm_sysadm_login:·false | 98 | ······var_xdm_sysadm_login:·false |
| 99 | ······var_selinuxuser_mysql_connect_enabled:·false | 99 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 100 | ······var_ssh_keysign:·false | ||
| 101 | ······var_xserver_execmem:·false | ||
| 102 | ······var_cron_userdomain_transition:·true | 100 | ······var_cron_userdomain_transition:·true |
| 103 | ······var_secure_mode_insmod:·false | ||
| 104 | ······var_xguest_mount_media:·true | 101 | ······var_xguest_mount_media:·true |
| 105 | ······var_selinuxuser_rw_noexattrfile:·true | 102 | ······var_selinuxuser_rw_noexattrfile:·true |
| 106 | ······var_deny_execmem:·false | 103 | ······var_deny_execmem:·false |
| 107 | ······var_ | 104 | ······var_gpg_web_anon_write:·false |
| 108 | ······var_secure_mode_policyload:·false | ||
| 109 | ······var_abrt_anon_write:·false | 105 | ······var_abrt_anon_write:·false |
| 110 | ······var_ | 106 | ······var_ssh_chroot_rw_homedirs:·false |
| 111 | ······var_logging_syslogd_use_tty:·true | 107 | ······var_logging_syslogd_use_tty:·true |
| 108 | ······var_login_console_enabled:·true | ||
| 112 | ······var_abrt_handle_event:·false | 109 | ······var_abrt_handle_event:·false |
| 110 | ······var_mock_enable_homedirs:·false | ||
| 113 | ······var_unconfined_login:·true | 111 | ······var_unconfined_login:·true |
| 112 | ······var_logging_syslogd_can_sendmail:·false | ||
| 114 | ······var_selinuxuser_postgresql_connect_enabled:·false | 113 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 115 | ······var_abrt_upload_watch_anon_write:·true | 114 | ······var_abrt_upload_watch_anon_write:·true |
| 116 | ······var_daemons_use_tty:·false | 115 | ······var_daemons_use_tty:·false |
| 117 | ······var_selinuxuser_tcp_server:·false | ||
| 118 | ······var_cron_can_relabel:·false | ||
| 119 | ······var_staff_exec_content:·true | ||
| 120 | ······var_selinuxuser_direct_dri_enabled:·true | 116 | ······var_selinuxuser_direct_dri_enabled:·true |
| 117 | ······var_xdm_bind_vnc_tcp_port:·false | ||
| 118 | ······var_xserver_execmem:·false | ||
| 121 | ······var_xserver_clients_write_xshm:·false | 119 | ······var_xserver_clients_write_xshm:·false |
| 122 | ······var_use_ecryptfs_home_dirs:·false | 120 | ······var_use_ecryptfs_home_dirs:·false |
| 123 | ······var_mock_enable_homedirs:·false | ||
| 124 | ······var_xguest_exec_content:·true | 121 | ······var_xguest_exec_content:·true |
| 125 | ······var_ | 122 | ······var_domain_kernel_load_modules:·false |
| 126 | ······var_ | 123 | ······var_ssh_keysign:·false |
| 127 | ······var_ | 124 | ······var_secure_mode_insmod:·false |
| 128 | ······var_selinuxuser_ | 125 | ······var_selinuxuser_execmod:·true |
| 126 | ······var_staff_exec_content:·true | ||
| 129 | ······var_mmap_low_allowed:·false | 127 | ······var_mmap_low_allowed:·false |
| 130 | ······var_selinuxuser_share_music:·false | 128 | ······var_selinuxuser_share_music:·false |
| 131 | ······var_ | 129 | ······var_domain_fd_use:·true |
| 130 | ······var_selinuxuser_udp_server:·false | ||
| 132 | ······var_cron_system_cronjob_use_shares:·false | 131 | ······var_cron_system_cronjob_use_shares:·false |
| 132 | ······var_logadm_exec_content:·true | ||
| 133 | ······var_xguest_connect_network:·true | 133 | ······var_xguest_connect_network:·true |
| 134 | ······var_xdm_write_home:·false | ||
| 135 | ······var_sysadm_exec_content:·true | 134 | ······var_sysadm_exec_content:·true |
| 136 | ······var_xguest_use_bluetooth:·true | 135 | ······var_xguest_use_bluetooth:·true |
| 137 | ······var_ | 136 | ······var_kerberos_enabled:·true |
| 138 | ······var_ | 137 | ······var_guest_exec_content:·true |
| 139 | ······var_daemons_dump_core:·false | 138 | ······var_daemons_dump_core:·false |
| 140 | ······var_xdm_exec_bootloader:·false | 139 | ······var_xdm_exec_bootloader:·false |
| 141 | ······var_fips_mode:·true | 140 | ······var_fips_mode:·true |
| 142 | ······var_polyinstantiation_enabled:·false | 141 | ······var_polyinstantiation_enabled:·false |
| 143 | ······var_domain_kernel_load_modules:·false | ||
| 144 | ······var_selinuxuser_use_ssh_chroot:·false | 142 | ······var_selinuxuser_use_ssh_chroot:·false |
| 145 | ······var_selinuxuser_ping:·true | 143 | ······var_selinuxuser_ping:·true |
| 144 | ······var_secure_mode_policyload:·false | ||
| 145 | ······var_selinuxuser_execheap:·false | ||
| 146 | ······var_secadm_exec_content:·true | 146 | ······var_secadm_exec_content:·true |
| 147 | ······var_selinux_policy_name:·targeted | 147 | ······var_selinux_policy_name:·targeted |
| 148 | ······var_selinux_state:·enforcing | 148 | ······var_selinux_state:·enforcing |
| 149 | ······var_accounts_password_minlen_login_defs:·6 | 149 | ······var_accounts_password_minlen_login_defs:·6 |
| 150 | ······var_accounts_password_warn_age_login_defs:·7 | 150 | ······var_accounts_password_warn_age_login_defs:·7 |
| 151 | ······var_accounts_minimum_age_login_defs:·7 | 151 | ······var_accounts_minimum_age_login_defs:·7 |
| 152 | ······var_accounts_maximum_age_login_defs:·60 | 152 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 166, 22 lines modified | Offset 166, 22 lines modified | ||
| 166 | ······var_password_pam_difok:·8 | 166 | ······var_password_pam_difok:·8 |
| 167 | ······var_password_pam_ocredit:·-1 | 167 | ······var_password_pam_ocredit:·-1 |
| 168 | ······var_password_pam_lcredit:·-1 | 168 | ······var_password_pam_lcredit:·-1 |
| 169 | ······var_password_pam_ucredit:·-1 | 169 | ······var_password_pam_ucredit:·-1 |
| 170 | ······var_password_pam_retry:·3 | 170 | ······var_password_pam_retry:·3 |
| 171 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 171 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 172 | ······var_accounts_user_umask:·077 | 172 | ······var_accounts_user_umask:·077 |
| 173 | ······var_accounts_tmout:·600 | ||
| 174 | ······var_accounts_fail_delay:·4 | 173 | ······var_accounts_fail_delay:·4 |
| 175 | ······var_accounts_max_concurrent_login_sessions:·10 | 174 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 175 | ······var_accounts_tmout:·600 | ||
| 176 | ······var_removable_partition:·/dev/cdrom | 176 | ······var_removable_partition:·/dev/cdrom |
| 177 | ······var_removable_partition:·/dev/cdrom | 177 | ······var_removable_partition:·/dev/cdrom |
| 178 | ······var_removable_partition:·/dev/cdrom | 178 | ······var_removable_partition:·/dev/cdrom |
| 179 | ······var_auditd_action_mail_acct:·root | ||
| 180 | ······var_auditd_max_log_file:·6 | 179 | ······var_auditd_max_log_file:·6 |
| 180 | ······var_auditd_action_mail_acct:·root | ||
| 181 | ······var_auditd_space_left_action:·email | 181 | ······var_auditd_space_left_action:·email |
| 182 | ······var_auditd_admin_space_left_action:·single | 182 | ······var_auditd_admin_space_left_action:·single |
| 183 | ······var_auditd_max_log_file_action:·rotate | 183 | ······var_auditd_max_log_file_action:·rotate |
| 184 | ······inactivity_timeout_value:·900 | 184 | ······inactivity_timeout_value:·900 |
| 185 | ···tasks: | 185 | ···tasks: |
| 186 | ····-·name:·Ensure·rsh·is·removed | 186 | ····-·name:·Ensure·rsh·is·removed |
| 187 | ······package: | 187 | ······package: |
| Offset 216, 54 lines modified | Offset 216, 54 lines modified | ||
| 216 | ········-·CCE-27336-7 | 216 | ········-·CCE-27336-7 |
| 217 | ········-·NIST-800-53-AC-17(8) | 217 | ········-·NIST-800-53-AC-17(8) |
| Max diff block lines reached; 130856/137699 bytes (95.03%) of diff not shown. | |||
| Offset 40, 16 lines modified | Offset 40, 16 lines modified | ||
| 40 | ······var_accounts_passwords_pam_faillock_deny:·6 | 40 | ······var_accounts_passwords_pam_faillock_deny:·6 |
| 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 | 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 |
| 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 43 | ······var_password_pam_minlen:·7 | 43 | ······var_password_pam_minlen:·7 |
| 44 | ······var_password_pam_dcredit:·-1 | 44 | ······var_password_pam_dcredit:·-1 |
| 45 | ······var_password_pam_lcredit:·-1 | 45 | ······var_password_pam_lcredit:·-1 |
| 46 | ······var_password_pam_ucredit:·-1 | 46 | ······var_password_pam_ucredit:·-1 |
| 47 | ······var_auditd_action_mail_acct:·admin | ||
| 48 | ······var_auditd_max_log_file:·1 | 47 | ······var_auditd_max_log_file:·1 |
| 48 | ······var_auditd_action_mail_acct:·admin | ||
| 49 | ······var_auditd_space_left_action:·suspend | 49 | ······var_auditd_space_left_action:·suspend |
| 50 | ······var_auditd_admin_space_left_action:·suspend | 50 | ······var_auditd_admin_space_left_action:·suspend |
| 51 | ······var_auditd_max_log_file_action:·rotate | 51 | ······var_auditd_max_log_file_action:·rotate |
| 52 | ······inactivity_timeout_value:·900 | 52 | ······inactivity_timeout_value:·900 |
| 53 | ···tasks: | 53 | ···tasks: |
| 54 | ···· | 54 | ···· |
| 55 | ···· | 55 | ···· |
| Offset 113, 37 lines modified | Offset 113, 14 lines modified | ||
| 113 | ········-·NIST-800-53-IA-5(g) | 113 | ········-·NIST-800-53-IA-5(g) |
| 114 | ········-·NIST-800-53-IA-5(1)(d) | 114 | ········-·NIST-800-53-IA-5(1)(d) |
| 115 | ········-·NIST-800-171-3.5.6 | 115 | ········-·NIST-800-171-3.5.6 |
| 116 | ········-·PCI-DSS-Req-8.2.4 | 116 | ········-·PCI-DSS-Req-8.2.4 |
| 117 | ········-·CJIS-5.6.2.1 | 117 | ········-·CJIS-5.6.2.1 |
| 118 | ········-·DISA-STIG-RHEL-07-010250 | 118 | ········-·DISA-STIG-RHEL-07-010250 |
| 119 | ···· | 119 | ···· |
| 120 | ···· | ||
| 121 | ···· | ||
| 122 | ····-·name:·Set·Account·Expiration·Following·Inactivity | ||
| 123 | ······lineinfile: | ||
| 124 | ········create:·yes | ||
| 125 | ········dest:·/etc/default/useradd | ||
| 126 | ········regexp:·^INACTIVE | ||
| 127 | ········line:·"INACTIVE={{·var_account_disable_post_pw_expiration·}}" | ||
| 128 | ······tags: | ||
| 129 | ········-·account_disable_post_pw_expiration | ||
| 130 | ········-·medium_severity | ||
| 131 | ········-·restrict_strategy | ||
| 132 | ········-·low_complexity | ||
| 133 | ········-·low_disruption | ||
| 134 | ········-·CCE-27355-7 | ||
| 135 | ········-·NIST-800-53-AC-2(2) | ||
| 136 | ········-·NIST-800-53-AC-2(3) | ||
| 137 | ········-·NIST-800-53-IA-4(e) | ||
| 138 | ········-·NIST-800-171-3.5.6 | ||
| 139 | ········-·PCI-DSS-Req-8.1.4 | ||
| 140 | ········-·CJIS-5.6.2.1.1 | ||
| 141 | ········-·DISA-STIG-RHEL-07-010310 | ||
| 142 | ···· | ||
| 143 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" | 120 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" |
| 144 | ······replace: | 121 | ······replace: |
| 145 | ········dest:·/etc/pam.d/system-auth | 122 | ········dest:·/etc/pam.d/system-auth |
| 146 | ········follow:·yes | 123 | ········follow:·yes |
| 147 | ········regexp:·'nullok' | 124 | ········regexp:·'nullok' |
| 148 | ······tags: | 125 | ······tags: |
| 149 | ········-·no_empty_passwords | 126 | ········-·no_empty_passwords |
| Offset 180, 14 lines modified | Offset 157, 37 lines modified | ||
| 180 | ········-·NIST-800-53-IA-5(1)(a) | 157 | ········-·NIST-800-53-IA-5(1)(a) |
| 181 | ········-·NIST-800-171-3.1.1 | 158 | ········-·NIST-800-171-3.1.1 |
| 182 | ········-·NIST-800-171-3.1.5 | 159 | ········-·NIST-800-171-3.1.5 |
| 183 | ········-·PCI-DSS-Req-8.2.3 | 160 | ········-·PCI-DSS-Req-8.2.3 |
| 184 | ········-·CJIS-5.5.2 | 161 | ········-·CJIS-5.5.2 |
| 185 | ········-·DISA-STIG-RHEL-07-010290 | 162 | ········-·DISA-STIG-RHEL-07-010290 |
| 186 | ···· | 163 | ···· |
| 164 | ···· | ||
| 165 | ···· | ||
| 166 | ····-·name:·Set·Account·Expiration·Following·Inactivity | ||
| 167 | ······lineinfile: | ||
| 168 | ········create:·yes | ||
| 169 | ········dest:·/etc/default/useradd | ||
| 170 | ········regexp:·^INACTIVE | ||
| 171 | ········line:·"INACTIVE={{·var_account_disable_post_pw_expiration·}}" | ||
| 172 | ······tags: | ||
| 173 | ········-·account_disable_post_pw_expiration | ||
| 174 | ········-·medium_severity | ||
| 175 | ········-·restrict_strategy | ||
| 176 | ········-·low_complexity | ||
| 177 | ········-·low_disruption | ||
| 178 | ········-·CCE-27355-7 | ||
| 179 | ········-·NIST-800-53-AC-2(2) | ||
| 180 | ········-·NIST-800-53-AC-2(3) | ||
| 181 | ········-·NIST-800-53-IA-4(e) | ||
| 182 | ········-·NIST-800-171-3.5.6 | ||
| 183 | ········-·PCI-DSS-Req-8.1.4 | ||
| 184 | ········-·CJIS-5.6.2.1.1 | ||
| 185 | ········-·DISA-STIG-RHEL-07-010310 | ||
| 186 | ···· | ||
| 187 | ····-·name:·Set·Password·Hashing·Algorithm·in·/etc/login.defs | 187 | ····-·name:·Set·Password·Hashing·Algorithm·in·/etc/login.defs |
| 188 | ······lineinfile: | 188 | ······lineinfile: |
| 189 | ··········dest:·/etc/login.defs | 189 | ··········dest:·/etc/login.defs |
| 190 | ··········regexp:·^#?ENCRYPT_METHOD | 190 | ··········regexp:·^#?ENCRYPT_METHOD |
| 191 | ··········line:·ENCRYPT_METHOD·SHA512 | 191 | ··········line:·ENCRYPT_METHOD·SHA512 |
| 192 | ··········state:·present | 192 | ··········state:·present |
| 193 | ······tags: | 193 | ······tags: |
| Offset 532, 105 lines modified | Offset 532, 105 lines modified | ||
| 532 | ···· | 532 | ···· |
| 533 | ····-·name:·Find·/etc/passwd·file(s) | 533 | ····-·name:·Find·/etc/passwd·file(s) |
| 534 | ······find: | 534 | ······find: |
| 535 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | 535 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" |
| 536 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | 536 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" |
| 537 | ······register:·files_found | 537 | ······register:·files_found |
| 538 | ······tags: | 538 | ······tags: |
| 539 | ········-·file_owner_etc_passwd | 539 | ········-·file_groupowner_etc_passwd |
| 540 | ········-·medium_severity | 540 | ········-·medium_severity |
| 541 | ········-·configure_strategy | 541 | ········-·configure_strategy |
| 542 | ········-·low_complexity | 542 | ········-·low_complexity |
| 543 | ········-·low_disruption | 543 | ········-·low_disruption |
| 544 | ········-·CCE-2 | 544 | ········-·CCE-26639-5 |
| 545 | ········-·NIST-800-53-AC-6 | 545 | ········-·NIST-800-53-AC-6 |
| 546 | ········-·PCI-DSS-Req-8.7.c | 546 | ········-·PCI-DSS-Req-8.7.c |
| 547 | ········-·CJIS-5.5.2.2 | 547 | ········-·CJIS-5.5.2.2 |
| 548 | ···· | 548 | ···· |
| 549 | ····-·name:·Set· | 549 | ····-·name:·Set·group·ownership·to·root |
| 550 | ······file: | 550 | ······file: |
| 551 | ········path:·"{{·item.path·}}" | 551 | ········path:·"{{·item.path·}}" |
| 552 | ········ | 552 | ········group:·root |
| 553 | ······with_items: | 553 | ······with_items: |
| 554 | ········-·"{{·files_found.files·}}" | 554 | ········-·"{{·files_found.files·}}" |
| 555 | ······tags: | 555 | ······tags: |
| 556 | ········-·file_owner_etc_passwd | 556 | ········-·file_groupowner_etc_passwd |
| 557 | ········-·medium_severity | 557 | ········-·medium_severity |
| 558 | ········-·configure_strategy | 558 | ········-·configure_strategy |
| 559 | ········-·low_complexity | 559 | ········-·low_complexity |
| 560 | ········-·low_disruption | 560 | ········-·low_disruption |
| 561 | ········-·CCE-2 | 561 | ········-·CCE-26639-5 |
| 562 | ········-·NIST-800-53-AC-6 | 562 | ········-·NIST-800-53-AC-6 |
| 563 | ········-·PCI-DSS-Req-8.7.c | 563 | ········-·PCI-DSS-Req-8.7.c |
| 564 | ········-·CJIS-5.5.2.2 | 564 | ········-·CJIS-5.5.2.2 |
| Max diff block lines reached; 30903/34829 bytes (88.73%) of diff not shown. | |||
| Offset 1005, 14 lines modified | Offset 1005, 48 lines modified | ||
| 1005 | ········-·low_disruption | 1005 | ········-·low_disruption |
| 1006 | ········-·CCE-26949-8 | 1006 | ········-·CCE-26949-8 |
| 1007 | ········-·NIST-800-53-AC-6 | 1007 | ········-·NIST-800-53-AC-6 |
| 1008 | ········-·PCI-DSS-Req-8.7.c | 1008 | ········-·PCI-DSS-Req-8.7.c |
| 1009 | ········-·CJIS-5.5.2.2 | 1009 | ········-·CJIS-5.5.2.2 |
| 1010 | ···· | 1010 | ···· |
| 1011 | ···· | 1011 | ···· |
| 1012 | ····-·name:·Find·/etc/passwd·file(s) | ||
| 1013 | ······find: | ||
| 1014 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | ||
| 1015 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | ||
| 1016 | ······register:·files_found | ||
| 1017 | ······tags: | ||
| 1018 | ········-·file_groupowner_etc_passwd | ||
| 1019 | ········-·medium_severity | ||
| 1020 | ········-·configure_strategy | ||
| 1021 | ········-·low_complexity | ||
| 1022 | ········-·low_disruption | ||
| 1023 | ········-·CCE-26639-5 | ||
| 1024 | ········-·NIST-800-53-AC-6 | ||
| 1025 | ········-·PCI-DSS-Req-8.7.c | ||
| 1026 | ········-·CJIS-5.5.2.2 | ||
| 1027 | ···· | ||
| 1028 | ····-·name:·Set·group·ownership·to·root | ||
| 1029 | ······file: | ||
| 1030 | ········path:·"{{·item.path·}}" | ||
| 1031 | ········group:·root | ||
| 1032 | ······with_items: | ||
| 1033 | ········-·"{{·files_found.files·}}" | ||
| 1034 | ······tags: | ||
| 1035 | ········-·file_groupowner_etc_passwd | ||
| 1036 | ········-·medium_severity | ||
| 1037 | ········-·configure_strategy | ||
| 1038 | ········-·low_complexity | ||
| 1039 | ········-·low_disruption | ||
| 1040 | ········-·CCE-26639-5 | ||
| 1041 | ········-·NIST-800-53-AC-6 | ||
| 1042 | ········-·PCI-DSS-Req-8.7.c | ||
| 1043 | ········-·CJIS-5.5.2.2 | ||
| 1044 | ···· | ||
| 1045 | ···· | ||
| 1012 | ····-·name:·Find·/etc/gshadow·file(s) | 1046 | ····-·name:·Find·/etc/gshadow·file(s) |
| 1013 | ······find: | 1047 | ······find: |
| 1014 | ········paths:·"{{·'/etc/gshadow'·|·dirname·}}" | 1048 | ········paths:·"{{·'/etc/gshadow'·|·dirname·}}" |
| 1015 | ········patterns:·"{{·'/etc/gshadow'·|·basename·}}" | 1049 | ········patterns:·"{{·'/etc/gshadow'·|·basename·}}" |
| 1016 | ······register:·files_found | 1050 | ······register:·files_found |
| 1017 | ······tags: | 1051 | ······tags: |
| 1018 | ········-·file_groupowner_etc_gshadow | 1052 | ········-·file_groupowner_etc_gshadow |
| Offset 1168, 48 lines modified | Offset 1202, 14 lines modified | ||
| 1168 | ···· | 1202 | ···· |
| 1169 | ···· | 1203 | ···· |
| 1170 | ····-·name:·Find·/etc/passwd·file(s) | 1204 | ····-·name:·Find·/etc/passwd·file(s) |
| 1171 | ······find: | 1205 | ······find: |
| 1172 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | 1206 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" |
| 1173 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | 1207 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" |
| 1174 | ······register:·files_found | 1208 | ······register:·files_found |
| 1175 | ······tags: | ||
| 1176 | ········-·file_groupowner_etc_passwd | ||
| 1177 | ········-·medium_severity | ||
| 1178 | ········-·configure_strategy | ||
| 1179 | ········-·low_complexity | ||
| 1180 | ········-·low_disruption | ||
| 1181 | ········-·CCE-26639-5 | ||
| 1182 | ········-·NIST-800-53-AC-6 | ||
| 1183 | ········-·PCI-DSS-Req-8.7.c | ||
| 1184 | ········-·CJIS-5.5.2.2 | ||
| 1185 | ···· | ||
| 1186 | ····-·name:·Set·group·ownership·to·root | ||
| 1187 | ······file: | ||
| 1188 | ········path:·"{{·item.path·}}" | ||
| 1189 | ········group:·root | ||
| 1190 | ······with_items: | ||
| 1191 | ········-·"{{·files_found.files·}}" | ||
| 1192 | ······tags: | ||
| 1193 | ········-·file_groupowner_etc_passwd | ||
| 1194 | ········-·medium_severity | ||
| 1195 | ········-·configure_strategy | ||
| 1196 | ········-·low_complexity | ||
| 1197 | ········-·low_disruption | ||
| 1198 | ········-·CCE-26639-5 | ||
| 1199 | ········-·NIST-800-53-AC-6 | ||
| 1200 | ········-·PCI-DSS-Req-8.7.c | ||
| 1201 | ········-·CJIS-5.5.2.2 | ||
| 1202 | ···· | ||
| 1203 | ···· | ||
| 1204 | ····-·name:·Find·/etc/passwd·file(s) | ||
| 1205 | ······find: | ||
| 1206 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | ||
| 1207 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | ||
| 1208 | ······register:·files_found | ||
| 1209 | ······tags: | 1209 | ······tags: |
| 1210 | ········-·file_permissions_etc_passwd | 1210 | ········-·file_permissions_etc_passwd |
| 1211 | ········-·medium_severity | 1211 | ········-·medium_severity |
| 1212 | ········-·configure_strategy | 1212 | ········-·configure_strategy |
| 1213 | ········-·low_complexity | 1213 | ········-·low_complexity |
| 1214 | ········-·low_disruption | 1214 | ········-·low_disruption |
| 1215 | ········-·CCE-26887-0 | 1215 | ········-·CCE-26887-0 |
| Offset 265, 37 lines modified | Offset 265, 14 lines modified | ||
| 265 | ········-·unknown_severity | 265 | ········-·unknown_severity |
| 266 | ········-·restrict_strategy | 266 | ········-·restrict_strategy |
| 267 | ········-·low_complexity | 267 | ········-·low_complexity |
| 268 | ········-·medium_disruption | 268 | ········-·medium_disruption |
| 269 | ········-·CCE-80200-9 | 269 | ········-·CCE-80200-9 |
| 270 | ········-·NIST-800-53-CM-6(b) | 270 | ········-·NIST-800-53-CM-6(b) |
| 271 | ···· | 271 | ···· |
| 272 | ····-·name:·Disable·service·autofs | ||
| 273 | ······service: | ||
| 274 | ········name="{{item}}" | ||
| 275 | ········enabled="no" | ||
| 276 | ········state="stopped" | ||
| 277 | ······register:·service_result | ||
| 278 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 279 | ······with_items: | ||
| 280 | ········-·autofs | ||
| 281 | ······tags: | ||
| 282 | ········-·service_autofs_disabled | ||
| 283 | ········-·medium_severity | ||
| 284 | ········-·disable_strategy | ||
| 285 | ········-·low_complexity | ||
| 286 | ········-·low_disruption | ||
| 287 | ········-·CCE-27498-5 | ||
| 288 | ········-·NIST-800-53-AC-19(a) | ||
| 289 | ········-·NIST-800-53-AC-19(d) | ||
| 290 | ········-·NIST-800-53-AC-19(e) | ||
| 291 | ········-·NIST-800-53-IA-3 | ||
| 292 | ········-·NIST-800-171-3.4.6 | ||
| 293 | ········-·DISA-STIG-RHEL-07-020110 | ||
| 294 | ···· | ||
| 295 | ····-·name:·get·back·device·associated·to·mountpoint | 272 | ····-·name:·get·back·device·associated·to·mountpoint |
| 296 | ······shell:·mount·|·grep·'·/dev/shm·'·|cut·-d·'·'·-f·1 | 273 | ······shell:·mount·|·grep·'·/dev/shm·'·|cut·-d·'·'·-f·1 |
| 297 | ······register:·device_name | 274 | ······register:·device_name |
| 298 | ······check_mode:·no | 275 | ······check_mode:·no |
| 299 | ······tags: | 276 | ······tags: |
| 300 | ········-·mount_option_dev_shm_nosuid | 277 | ········-·mount_option_dev_shm_nosuid |
| 301 | ········-·unknown_severity | 278 | ········-·unknown_severity |
| Offset 406, 14 lines modified | Offset 383, 37 lines modified | ||
| 406 | ········-·configure_strategy | 383 | ········-·configure_strategy |
| 407 | ········-·low_complexity | 384 | ········-·low_complexity |
| 408 | ········-·high_disruption | 385 | ········-·high_disruption |
| 409 | ········-·CCE-80152-2 | 386 | ········-·CCE-80152-2 |
| 410 | ········-·NIST-800-53-CM-7 | 387 | ········-·NIST-800-53-CM-7 |
| 411 | ········-·NIST-800-53-MP-2 | 388 | ········-·NIST-800-53-MP-2 |
| 412 | ···· | 389 | ···· |
| 390 | ····-·name:·Disable·service·autofs | ||
| 391 | ······service: | ||
| 392 | ········name="{{item}}" | ||
| 393 | ········enabled="no" | ||
| 394 | ········state="stopped" | ||
| 395 | ······register:·service_result | ||
| 396 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 397 | ······with_items: | ||
| 398 | ········-·autofs | ||
| 399 | ······tags: | ||
| 400 | ········-·service_autofs_disabled | ||
| 401 | ········-·medium_severity | ||
| 402 | ········-·disable_strategy | ||
| 403 | ········-·low_complexity | ||
| 404 | ········-·low_disruption | ||
| 405 | ········-·CCE-27498-5 | ||
| 406 | ········-·NIST-800-53-AC-19(a) | ||
| 407 | ········-·NIST-800-53-AC-19(d) | ||
| 408 | ········-·NIST-800-53-AC-19(e) | ||
| 409 | ········-·NIST-800-53-IA-3 | ||
| 410 | ········-·NIST-800-171-3.4.6 | ||
| 411 | ········-·DISA-STIG-RHEL-07-020110 | ||
| 412 | ···· | ||
| 413 | ···· | 413 | ···· |
| 414 | ····# | 414 | ····# |
| 415 | ····#·What·architecture·are·we·on? | 415 | ····#·What·architecture·are·we·on? |
| 416 | ····# | 416 | ····# |
| 417 | ····-·name:·Set·architecture·for·audit·fchown·tasks | 417 | ····-·name:·Set·architecture·for·audit·fchown·tasks |
| 418 | ······set_fact: | 418 | ······set_fact: |
| 419 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" | 419 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" |
| Offset 970, 154 lines modified | Offset 970, 14 lines modified | ||
| 970 | ········-·CJIS-5.4.1.1 | 970 | ········-·CJIS-5.4.1.1 |
| 971 | ········-·DISA-STIG-RHEL-07-030460 | 971 | ········-·DISA-STIG-RHEL-07-030460 |
| 972 | ···· | 972 | ···· |
| 973 | ···· | 973 | ···· |
| 974 | ····# | 974 | ····# |
| 975 | ····#·What·architecture·are·we·on? | 975 | ····#·What·architecture·are·we·on? |
| 976 | ····# | 976 | ····# |
| 977 | ····-·name:·Set·architecture·for·audit·chmod·tasks | ||
| 978 | ······set_fact: | ||
| 979 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" | ||
| 980 | ···· | ||
| 981 | ····# | ||
| 982 | ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d | ||
| 983 | ····# | ||
| 984 | ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules | ||
| 985 | ······find: | ||
| 986 | ········paths:·"/etc/audit/rules.d" | ||
| 987 | ········recurse:·no | ||
| 988 | ········contains:·"-F·key=perm_mod$" | ||
| 989 | ········patterns:·"*.rules" | ||
| 990 | ······register:·find_chmod | ||
| 991 | ···· | ||
| 992 | ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule | ||
| 993 | ······set_fact: | ||
| 994 | ········all_files:· | ||
| 995 | ··········-·/etc/audit/rules.d/privileged.rules | ||
| 996 | ······when:·find_chmod.matched·==·0 | ||
| 997 | ···· | ||
| 998 | ····-·name:·Use·matched·file·as·the·recipient·for·the·rule | ||
| 999 | ······set_fact: | ||
| 1000 | ········all_files: | ||
| 1001 | ··········-·"{{·find_chmod.files·|·map(attribute='path')·|·list·|·first·}}" | ||
| 1002 | ······when:·find_chmod.matched·>·0 | ||
| 1003 | ···· | ||
| 1004 | ····-·name:·Inserts/replaces·the·chmod·rule·in·rules.d·when·on·x86 | ||
| 1005 | ······lineinfile: | ||
| 1006 | ········path:·"{{·all_files[0]·}}" | ||
| 1007 | ········line:·"-a·always,exit·-F·arch=b32·-S·chmod·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" | ||
| 1008 | ········create:·yes | ||
| 1009 | ······tags: | ||
| 1010 | ········-·audit_rules_dac_modification_chmod | ||
| 1011 | ········-·unknown_severity | ||
| 1012 | ········-·restrict_strategy | ||
| 1013 | ········-·low_complexity | ||
| 1014 | ········-·low_disruption | ||
| 1015 | ········-·CCE-27339-1 | ||
| 1016 | ········-·NIST-800-53-AC-17(7) | ||
| 1017 | ········-·NIST-800-53-AU-1(b) | ||
| 1018 | ········-·NIST-800-53-AU-2(a) | ||
| 1019 | ········-·NIST-800-53-AU-2(c) | ||
| 1020 | ········-·NIST-800-53-AU-2(d) | ||
| Max diff block lines reached; 17435/24355 bytes (71.59%) of diff not shown. | |||
| Offset 43, 18 lines modified | Offset 43, 18 lines modified | ||
| 43 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 43 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 44 | ·········· | 44 | ·········· |
| 45 | ···vars: | 45 | ···vars: |
| 46 | ······sshd_idle_timeout_value:·600 | 46 | ······sshd_idle_timeout_value:·600 |
| 47 | ······rsyslog_remote_loghost_address:·logcollector | 47 | ······rsyslog_remote_loghost_address:·logcollector |
| 48 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 48 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 50 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 53 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 | 51 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 54 | ······var_selinux_policy_name:·targeted | 54 | ······var_selinux_policy_name:·targeted |
| 55 | ······var_selinux_state:·enforcing | 55 | ······var_selinux_state:·enforcing |
| 56 | ······var_accounts_minimum_age_login_defs:·1 | 56 | ······var_accounts_minimum_age_login_defs:·1 |
| 57 | ······var_accounts_maximum_age_login_defs:·60 | 57 | ······var_accounts_maximum_age_login_defs:·60 |
| 58 | ······var_account_disable_post_pw_expiration:·0 | 58 | ······var_account_disable_post_pw_expiration:·0 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·never | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·never |
| Offset 71, 17 lines modified | Offset 71, 17 lines modified | ||
| 71 | ······var_password_pam_difok:·8 | 71 | ······var_password_pam_difok:·8 |
| 72 | ······var_password_pam_ocredit:·-1 | 72 | ······var_password_pam_ocredit:·-1 |
| 73 | ······var_password_pam_lcredit:·-1 | 73 | ······var_password_pam_lcredit:·-1 |
| 74 | ······var_password_pam_ucredit:·-1 | 74 | ······var_password_pam_ucredit:·-1 |
| 75 | ······var_password_pam_retry:·3 | 75 | ······var_password_pam_retry:·3 |
| 76 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) | 76 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) |
| 77 | ······var_accounts_user_umask:·077 | 77 | ······var_accounts_user_umask:·077 |
| 78 | ······var_accounts_tmout:·600 | ||
| 79 | ······var_accounts_fail_delay:·4 | 78 | ······var_accounts_fail_delay:·4 |
| 80 | ······var_accounts_max_concurrent_login_sessions:·10 | 79 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 80 | ······var_accounts_tmout:·600 | ||
| 81 | ······var_removable_partition:·/dev/cdrom | 81 | ······var_removable_partition:·/dev/cdrom |
| 82 | ······var_auditd_action_mail_acct:·root | 82 | ······var_auditd_action_mail_acct:·root |
| 83 | ······var_auditd_space_left_action:·email | 83 | ······var_auditd_space_left_action:·email |
| 84 | ······inactivity_timeout_value:·900 | 84 | ······inactivity_timeout_value:·900 |
| 85 | ···tasks: | 85 | ···tasks: |
| 86 | ····-·name:·Ensure·rsh-server·is·removed | 86 | ····-·name:·Ensure·rsh-server·is·removed |
| 87 | ······package: | 87 | ······package: |
| Offset 790, 33 lines modified | Offset 790, 14 lines modified | ||
| 790 | ········-·low_disruption | 790 | ········-·low_disruption |
| 791 | ········-·CCE-27343-3 | 791 | ········-·CCE-27343-3 |
| 792 | ········-·NIST-800-53-AU-3(2) | 792 | ········-·NIST-800-53-AU-3(2) |
| 793 | ········-·NIST-800-53-AU-4(1) | 793 | ········-·NIST-800-53-AU-4(1) |
| 794 | ········-·NIST-800-53-AU-9 | 794 | ········-·NIST-800-53-AU-9 |
| 795 | ········-·DISA-STIG-RHEL-07-031000 | 795 | ········-·DISA-STIG-RHEL-07-031000 |
| 796 | ···· | 796 | ···· |
| 797 | ···· | ||
| 798 | ···· | ||
| 799 | ····-·name:·Ensure·sysctl·net.ipv6.conf.all.accept_source_route·is·set | ||
| 800 | ······sysctl: | ||
| 801 | ········name:·net.ipv6.conf.all.accept_source_route | ||
| 802 | ········value:·"{{·sysctl_net_ipv6_conf_all_accept_source_route_value·}}" | ||
| 803 | ········state:·present | ||
| 804 | ········reload:·yes | ||
| 805 | ······tags: | ||
| 806 | ········-·sysctl_net_ipv6_conf_all_accept_source_route | ||
| 807 | ········-·medium_severity | ||
| 808 | ········-·disable_strategy | ||
| 809 | ········-·low_complexity | ||
| 810 | ········-·medium_disruption | ||
| 811 | ········-·CCE-80179-5 | ||
| 812 | ········-·NIST-800-53-AC-4 | ||
| 813 | ········-·NIST-800-171-3.1.20 | ||
| 814 | ········-·DISA-STIG-RHEL-07-040830 | ||
| 815 | ···· | ||
| 816 | ····-·name:·Enable·service·firewalld | 797 | ····-·name:·Enable·service·firewalld |
| 817 | ······service: | 798 | ······service: |
| 818 | ········name="{{item}}" | 799 | ········name="{{item}}" |
| 819 | ········enabled="yes" | 800 | ········enabled="yes" |
| 820 | ········state="started" | 801 | ········state="started" |
| 821 | ······with_items: | 802 | ······with_items: |
| 822 | ········-·firewalld | 803 | ········-·firewalld |
| Offset 830, 14 lines modified | Offset 811, 33 lines modified | ||
| 830 | ········-·NIST-800-53-CM-6(b) | 811 | ········-·NIST-800-53-CM-6(b) |
| 831 | ········-·NIST-800-171-3.1.3 | 812 | ········-·NIST-800-171-3.1.3 |
| 832 | ········-·NIST-800-171-3.4.7 | 813 | ········-·NIST-800-171-3.4.7 |
| 833 | ········-·DISA-STIG-RHEL-07-040520 | 814 | ········-·DISA-STIG-RHEL-07-040520 |
| 834 | ···· | 815 | ···· |
| 835 | ···· | 816 | ···· |
| 836 | ···· | 817 | ···· |
| 818 | ····-·name:·Ensure·sysctl·net.ipv6.conf.all.accept_source_route·is·set | ||
| 819 | ······sysctl: | ||
| 820 | ········name:·net.ipv6.conf.all.accept_source_route | ||
| 821 | ········value:·"{{·sysctl_net_ipv6_conf_all_accept_source_route_value·}}" | ||
| 822 | ········state:·present | ||
| 823 | ········reload:·yes | ||
| 824 | ······tags: | ||
| 825 | ········-·sysctl_net_ipv6_conf_all_accept_source_route | ||
| 826 | ········-·medium_severity | ||
| 827 | ········-·disable_strategy | ||
| 828 | ········-·low_complexity | ||
| 829 | ········-·medium_disruption | ||
| 830 | ········-·CCE-80179-5 | ||
| 831 | ········-·NIST-800-53-AC-4 | ||
| 832 | ········-·NIST-800-171-3.1.20 | ||
| 833 | ········-·DISA-STIG-RHEL-07-040830 | ||
| 834 | ···· | ||
| 835 | ···· | ||
| 836 | ···· | ||
| 837 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_source_route·is·set | 837 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_source_route·is·set |
| 838 | ······sysctl: | 838 | ······sysctl: |
| 839 | ········name:·net.ipv4.conf.default.accept_source_route | 839 | ········name:·net.ipv4.conf.default.accept_source_route |
| 840 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_source_route_value·}}" | 840 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_source_route_value·}}" |
| 841 | ········state:·present | 841 | ········state:·present |
| 842 | ········reload:·yes | 842 | ········reload:·yes |
| 843 | ······tags: | 843 | ······tags: |
| Offset 853, 56 lines modified | Offset 853, 55 lines modified | ||
| 853 | ········-·NIST-800-53-SC-7 | 853 | ········-·NIST-800-53-SC-7 |
| 854 | ········-·NIST-800-171-3.1.20 | 854 | ········-·NIST-800-171-3.1.20 |
| 855 | ········-·CJIS-5.10.1.1 | 855 | ········-·CJIS-5.10.1.1 |
| 856 | ········-·DISA-STIG-RHEL-07-040620 | 856 | ········-·DISA-STIG-RHEL-07-040620 |
| 857 | ···· | 857 | ···· |
| 858 | ···· | 858 | ···· |
| 859 | ···· | 859 | ···· |
| 860 | ····-·name:·Ensure·sysctl·net.ipv4. | 860 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_redirects·is·set |
| 861 | ······sysctl: | 861 | ······sysctl: |
| 862 | ········name:·net.ipv4. | 862 | ········name:·net.ipv4.conf.default.accept_redirects |
| 863 | ········value:·"{{·sysctl_net_ipv4_ | 863 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_redirects_value·}}" |
| 864 | ········state:·present | 864 | ········state:·present |
| 865 | ········reload:·yes | 865 | ········reload:·yes |
| 866 | ······tags: | 866 | ······tags: |
| 867 | ········-·sysctl_net_ipv4_ | 867 | ········-·sysctl_net_ipv4_conf_default_accept_redirects |
| 868 | ········-·medium_severity | 868 | ········-·medium_severity |
| 869 | ········-·disable_strategy | 869 | ········-·disable_strategy |
| 870 | ········-·low_complexity | 870 | ········-·low_complexity |
| 871 | ········-·medium_disruption | 871 | ········-·medium_disruption |
| Max diff block lines reached; 74412/81586 bytes (91.21%) of diff not shown. | |||
| Offset 39, 44 lines modified | Offset 39, 44 lines modified | ||
| 39 | ·······assert: | 39 | ·······assert: |
| 40 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 40 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 41 | ·········msg:·> | 41 | ·········msg:·> |
| 42 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 42 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 43 | ·········· | 43 | ·········· |
| 44 | ···vars: | 44 | ···vars: |
| 45 | ······sshd_idle_timeout_value:·300 | 45 | ······sshd_idle_timeout_value:·300 |
| 46 | ······var_auditd_max_log_file:·1 | ||
| 47 | ······var_auditd_action_mail_acct:·admin | ||
| 48 | ······var_auditd_space_left_action:·suspend | ||
| 49 | ······var_auditd_admin_space_left_action:·suspend | ||
| 50 | ······var_auditd_max_log_file_action:·ignore | ||
| 46 | ······rsyslog_remote_loghost_address:·None | 51 | ······rsyslog_remote_loghost_address:·None |
| 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 52 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 53 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 54 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_ | 55 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 57 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 58 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_ | 59 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 56 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 60 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 61 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 58 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 62 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 59 | ······sysctl_net_ipv4_ | 63 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 60 | ······sysctl_net_ipv4_c | 64 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 65 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 61 | ······var_selinux_policy_name:·targeted | 66 | ······var_selinux_policy_name:·targeted |
| 62 | ······var_selinux_state:·enforcing | 67 | ······var_selinux_state:·enforcing |
| 63 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 64 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 65 | ······var_accounts_minimum_age_login_defs:·1 | 68 | ······var_accounts_minimum_age_login_defs:·1 |
| 69 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 70 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 66 | ······var_account_disable_post_pw_expiration:·35 | 71 | ······var_account_disable_post_pw_expiration:·35 |
| 67 | ······var_password_pam_unix_remember:·0 | 72 | ······var_password_pam_unix_remember:·0 |
| 68 | ······var_accounts_passwords_pam_faillock_deny:·3 | 73 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 69 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 74 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 70 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 75 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 71 | ······var_auditd_action_mail_acct:·admin | ||
| 72 | ······var_auditd_max_log_file:·1 | ||
| 73 | ······var_auditd_space_left_action:·suspend | ||
| 74 | ······var_auditd_admin_space_left_action:·suspend | ||
| 75 | ······var_auditd_max_log_file_action:·ignore | ||
| 76 | ······var_removable_partition:·/dev/cdrom | 76 | ······var_removable_partition:·/dev/cdrom |
| 77 | ······var_removable_partition:·/dev/cdrom | 77 | ······var_removable_partition:·/dev/cdrom |
| 78 | ······var_removable_partition:·/dev/cdrom | 78 | ······var_removable_partition:·/dev/cdrom |
| 79 | ···tasks: | 79 | ···tasks: |
| 80 | ····-·name:·Ensure·vsftpd·is·removed | 80 | ····-·name:·Ensure·vsftpd·is·removed |
| 81 | ······package: | 81 | ······package: |
| 82 | ········name="{{item}}" | 82 | ········name="{{item}}" |
| Offset 103, 29 lines modified | Offset 103, 14 lines modified | ||
| 103 | ········-·unknown_severity | 103 | ········-·unknown_severity |
| 104 | ········-·disable_strategy | 104 | ········-·disable_strategy |
| 105 | ········-·low_complexity | 105 | ········-·low_complexity |
| 106 | ········-·low_disruption | 106 | ········-·low_disruption |
| 107 | ········-·CCE-27133-8 | 107 | ········-·CCE-27133-8 |
| 108 | ········-·NIST-800-53-CM-7 | 108 | ········-·NIST-800-53-CM-7 |
| 109 | ···· | 109 | ···· |
| 110 | ····-·name:·Ensure·dhcp·is·removed | ||
| 111 | ······package: | ||
| 112 | ········name="{{item}}" | ||
| 113 | ········state=absent | ||
| 114 | ······with_items: | ||
| 115 | ········-·dhcp | ||
| 116 | ······tags: | ||
| 117 | ········-·package_dhcp_removed | ||
| 118 | ········-·medium_severity | ||
| 119 | ········-·disable_strategy | ||
| 120 | ········-·low_complexity | ||
| 121 | ········-·low_disruption | ||
| 122 | ········-·CCE-27120-5 | ||
| 123 | ········-·NIST-800-53-CM-7 | ||
| 124 | ···· | ||
| 125 | ····-·name:·Enable·service·ntpd | 110 | ····-·name:·Enable·service·ntpd |
| 126 | ······service: | 111 | ······service: |
| 127 | ········name="{{item}}" | 112 | ········name="{{item}}" |
| 128 | ········enabled="yes" | 113 | ········enabled="yes" |
| 129 | ········state="started" | 114 | ········state="started" |
| 130 | ······with_items: | 115 | ······with_items: |
| 131 | ········-·ntpd | 116 | ········-·ntpd |
| Offset 168, 65 lines modified | Offset 153, 14 lines modified | ||
| 168 | ········-·package_net-snmp_removed | 153 | ········-·package_net-snmp_removed |
| 169 | ········-·unknown_severity | 154 | ········-·unknown_severity |
| 170 | ········-·disable_strategy | 155 | ········-·disable_strategy |
| 171 | ········-·low_complexity | 156 | ········-·low_complexity |
| 172 | ········-·low_disruption | 157 | ········-·low_disruption |
| 173 | ········-·CCE-26332-7 | 158 | ········-·CCE-26332-7 |
| 174 | ···· | 159 | ···· |
| 175 | ····-·name:·Enable·service·crond | ||
| 176 | ······service: | ||
| 177 | ········name="{{item}}" | ||
| 178 | ········enabled="yes" | ||
| 179 | ········state="started" | ||
| 180 | ······with_items: | ||
| 181 | ········-·crond | ||
| 182 | ······tags: | ||
| 183 | ········-·service_crond_enabled | ||
| 184 | ········-·medium_severity | ||
| 185 | ········-·enable_strategy | ||
| 186 | ········-·low_complexity | ||
| 187 | ········-·low_disruption | ||
| 188 | ········-·CCE-27070-2 | ||
| 189 | ········-·NIST-800-53-CM-7 | ||
| 190 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 191 | ···· | ||
| 192 | ····-·name:·Disable·service·atd | ||
| 193 | ······service: | ||
| 194 | ········name="{{item}}" | ||
| 195 | ········enabled="no" | ||
| 196 | ········state="stopped" | ||
| 197 | ······register:·service_result | ||
| 198 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 199 | ······with_items: | ||
| 200 | ········-·atd | ||
| 201 | ······tags: | ||
| 202 | ········-·service_atd_disabled | ||
| 203 | ········-·unknown_severity | ||
| 204 | ········-·disable_strategy | ||
| 205 | ········-·low_complexity | ||
| 206 | ········-·low_disruption | ||
| 207 | ········-·CCE-27249-2 | ||
| 208 | ········-·NIST-800-53-CM-7 | ||
| 209 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 210 | ···· | ||
| 211 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| Max diff block lines reached; 80006/84947 bytes (94.18%) of diff not shown. | |||
| Offset 33, 31 lines modified | Offset 33, 31 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······rsyslog_remote_loghost_address:·None | 36 | ······rsyslog_remote_loghost_address:·None |
| 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 40 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_ | 44 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_ | 48 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 50 | ······sysctl_net_ipv4_c | 49 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 51 | ······var_selinux_policy_name:·targeted | 51 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 52 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·14 | 53 | ······var_accounts_password_minlen_login_defs:·14 |
| 54 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·1 | 54 | ······var_accounts_minimum_age_login_defs:·1 |
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_account_disable_post_pw_expiration:·35 | 57 | ······var_account_disable_post_pw_expiration:·35 |
| 58 | ······var_password_pam_unix_remember:·10 | 58 | ······var_password_pam_unix_remember:·10 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| Offset 207, 65 lines modified | Offset 207, 14 lines modified | ||
| 207 | ········-·service_snmpd_disabled | 207 | ········-·service_snmpd_disabled |
| 208 | ········-·unknown_severity | 208 | ········-·unknown_severity |
| 209 | ········-·disable_strategy | 209 | ········-·disable_strategy |
| 210 | ········-·low_complexity | 210 | ········-·low_complexity |
| 211 | ········-·low_disruption | 211 | ········-·low_disruption |
| 212 | ········-·CCE-26906-8 | 212 | ········-·CCE-26906-8 |
| 213 | ···· | 213 | ···· |
| 214 | ····-·name:·Enable·service·crond | ||
| 215 | ······service: | ||
| 216 | ········name="{{item}}" | ||
| 217 | ········enabled="yes" | ||
| 218 | ········state="started" | ||
| 219 | ······with_items: | ||
| 220 | ········-·crond | ||
| 221 | ······tags: | ||
| 222 | ········-·service_crond_enabled | ||
| 223 | ········-·medium_severity | ||
| 224 | ········-·enable_strategy | ||
| 225 | ········-·low_complexity | ||
| 226 | ········-·low_disruption | ||
| 227 | ········-·CCE-27070-2 | ||
| 228 | ········-·NIST-800-53-CM-7 | ||
| 229 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 230 | ···· | ||
| 231 | ····-·name:·Disable·service·atd | ||
| 232 | ······service: | ||
| 233 | ········name="{{item}}" | ||
| 234 | ········enabled="no" | ||
| 235 | ········state="stopped" | ||
| 236 | ······register:·service_result | ||
| 237 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 238 | ······with_items: | ||
| 239 | ········-·atd | ||
| 240 | ······tags: | ||
| 241 | ········-·service_atd_disabled | ||
| 242 | ········-·unknown_severity | ||
| 243 | ········-·disable_strategy | ||
| 244 | ········-·low_complexity | ||
| 245 | ········-·low_disruption | ||
| 246 | ········-·CCE-27249-2 | ||
| 247 | ········-·NIST-800-53-CM-7 | ||
| 248 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 249 | ···· | ||
| 250 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 251 | ······package: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········state=absent | ||
| 254 | ······with_items: | ||
| 255 | ········-·xorg-x11-server-common | ||
| 256 | ······tags: | ||
| 257 | ········-·package_xorg-x11-server-common_removed | ||
| 258 | ········-·unknown_severity | ||
| 259 | ········-·disable_strategy | ||
| 260 | ········-·low_complexity | ||
| 261 | ········-·low_disruption | ||
| 262 | ········-·CCE-27198-1 | ||
| 263 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 264 | ···· | ||
| 265 | ····-·name:·Ensure·rsh-server·is·removed | 214 | ····-·name:·Ensure·rsh-server·is·removed |
| 266 | ······package: | 215 | ······package: |
| 267 | ········name="{{item}}" | 216 | ········name="{{item}}" |
| 268 | ········state=absent | 217 | ········state=absent |
| 269 | ······with_items: | 218 | ······with_items: |
| 270 | ········-·rsh-server | 219 | ········-·rsh-server |
| 271 | ······tags: | 220 | ······tags: |
| Offset 420, 132 lines modified | Offset 369, 81 lines modified | ||
| 420 | ········-·disable_strategy | 369 | ········-·disable_strategy |
| 421 | ········-·low_complexity | 370 | ········-·low_complexity |
| 422 | ········-·low_disruption | 371 | ········-·low_disruption |
| 423 | ········-·CCE-27005-8 | 372 | ········-·CCE-27005-8 |
| 424 | ········-·NIST-800-53-CM-7 | 373 | ········-·NIST-800-53-CM-7 |
| 425 | ········-·DISA-STIG-RHEL-06-000204 | 374 | ········-·DISA-STIG-RHEL-06-000204 |
| 426 | ···· | 375 | ···· |
| 427 | ····-·name:· | 376 | ····-·name:·Ensure·xorg-x11-server-common·is·removed |
| 428 | ······ | 377 | ······package: |
| 429 | ········name="{{item}}" | ||
| 430 | ········enabled="no" | ||
| 431 | ········state="stopped" | ||
| 432 | ······register:·service_result | ||
| 433 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 434 | ······with_items: | ||
| 435 | ········-·rpcgssd | ||
| 436 | ······tags: | ||
| 437 | ········-·service_rpcgssd_disabled | ||
| 438 | ········-·unknown_severity | ||
| 439 | ········-·disable_strategy | ||
| 440 | ········-·low_complexity | ||
| 441 | ········-·low_disruption | ||
| 442 | ········-·CCE-26864-9 | ||
| 443 | ···· | ||
| 444 | ····-·name:·Disable·service·rpcidmapd | ||
| 445 | ······service: | ||
| Max diff block lines reached; 142861/148402 bytes (96.27%) of diff not shown. | |||
| Offset 34, 39 lines modified | Offset 34, 39 lines modified | ||
| 34 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. | 34 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. |
| 35 | ·······assert: | 35 | ·······assert: |
| 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 37 | ·········msg:·> | 37 | ·········msg:·> |
| 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 39 | ·········· | 39 | ·········· |
| 40 | ···vars: | 40 | ···vars: |
| 41 | ······var_auditd_max_log_file:·1 | ||
| 42 | ······var_auditd_action_mail_acct:·admin | ||
| 43 | ······var_auditd_space_left_action:·suspend | ||
| 44 | ······var_auditd_admin_space_left_action:·suspend | ||
| 45 | ······var_auditd_max_log_file_action:·keep_logs | ||
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 47 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 52 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 53 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 54 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_ | 55 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 52 | ······sysctl_net_ipv4_c | 56 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 57 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 53 | ······var_selinux_policy_name:·mls | 58 | ······var_selinux_policy_name:·mls |
| 54 | ······var_selinux_state:·enforcing | 59 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·12 | 60 | ······var_accounts_password_minlen_login_defs:·12 |
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_accounts_maximum_age_login_defs:·180 | 61 | ······var_accounts_maximum_age_login_defs:·180 |
| 62 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 58 | ······var_account_disable_post_pw_expiration:·35 | 63 | ······var_account_disable_post_pw_expiration:·35 |
| 59 | ······var_password_pam_unix_remember:·0 | 64 | ······var_password_pam_unix_remember:·0 |
| 60 | ······var_password_pam_retry:·3 | 65 | ······var_password_pam_retry:·3 |
| 61 | ······var_auditd_action_mail_acct:·admin | ||
| 62 | ······var_auditd_max_log_file:·1 | ||
| 63 | ······var_auditd_space_left_action:·suspend | ||
| 64 | ······var_auditd_admin_space_left_action:·suspend | ||
| 65 | ······var_auditd_max_log_file_action:·keep_logs | ||
| 66 | ···tasks: | 66 | ···tasks: |
| 67 | ····-·name:·Disable·service·vsftpd | 67 | ····-·name:·Disable·service·vsftpd |
| 68 | ······service: | 68 | ······service: |
| 69 | ········name="{{item}}" | 69 | ········name="{{item}}" |
| 70 | ········enabled="no" | 70 | ········enabled="no" |
| 71 | ········state="stopped" | 71 | ········state="stopped" |
| 72 | ······register:·service_result | 72 | ······register:·service_result |
| Offset 123, 47 lines modified | Offset 123, 14 lines modified | ||
| 123 | ········-·unknown_severity | 123 | ········-·unknown_severity |
| 124 | ········-·configure_strategy | 124 | ········-·configure_strategy |
| 125 | ········-·low_complexity | 125 | ········-·low_complexity |
| 126 | ········-·low_disruption | 126 | ········-·low_disruption |
| 127 | ········-·CCE-27316-9 | 127 | ········-·CCE-27316-9 |
| 128 | ········-·NIST-800-53-CM-7 | 128 | ········-·NIST-800-53-CM-7 |
| 129 | ···· | 129 | ···· |
| 130 | ····-·name:·Ensure·dhcp·is·removed | ||
| 131 | ······package: | ||
| 132 | ········name="{{item}}" | ||
| 133 | ········state=absent | ||
| 134 | ······with_items: | ||
| 135 | ········-·dhcp | ||
| 136 | ······tags: | ||
| 137 | ········-·package_dhcp_removed | ||
| 138 | ········-·medium_severity | ||
| 139 | ········-·disable_strategy | ||
| 140 | ········-·low_complexity | ||
| 141 | ········-·low_disruption | ||
| 142 | ········-·CCE-27120-5 | ||
| 143 | ········-·NIST-800-53-CM-7 | ||
| 144 | ···· | ||
| 145 | ····-·name:·Disable·service·dhcpd | ||
| 146 | ······service: | ||
| 147 | ········name="{{item}}" | ||
| 148 | ········enabled="no" | ||
| 149 | ········state="stopped" | ||
| 150 | ······register:·service_result | ||
| 151 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 152 | ······with_items: | ||
| 153 | ········-·dhcpd | ||
| 154 | ······tags: | ||
| 155 | ········-·service_dhcpd_disabled | ||
| 156 | ········-·medium_severity | ||
| 157 | ········-·disable_strategy | ||
| 158 | ········-·low_complexity | ||
| 159 | ········-·low_disruption | ||
| 160 | ········-·CCE-27074-4 | ||
| 161 | ········-·NIST-800-53-CM-7 | ||
| 162 | ···· | ||
| 163 | ····-·name:·Enable·service·ntpd | 130 | ····-·name:·Enable·service·ntpd |
| 164 | ······service: | 131 | ······service: |
| 165 | ········name="{{item}}" | 132 | ········name="{{item}}" |
| 166 | ········enabled="yes" | 133 | ········enabled="yes" |
| 167 | ········state="started" | 134 | ········state="started" |
| 168 | ······with_items: | 135 | ······with_items: |
| 169 | ········-·ntpd | 136 | ········-·ntpd |
| Offset 192, 50 lines modified | Offset 159, 14 lines modified | ||
| 192 | ········-·unknown_severity | 159 | ········-·unknown_severity |
| 193 | ········-·disable_strategy | 160 | ········-·disable_strategy |
| 194 | ········-·low_complexity | 161 | ········-·low_complexity |
| 195 | ········-·low_disruption | 162 | ········-·low_disruption |
| 196 | ········-·CCE-26899-5 | 163 | ········-·CCE-26899-5 |
| 197 | ········-·NIST-800-53-CM-7 | 164 | ········-·NIST-800-53-CM-7 |
| 198 | ···· | 165 | ···· |
| 199 | ····-·name:·Enable·service·crond | ||
| 200 | ······service: | ||
| 201 | ········name="{{item}}" | ||
| 202 | ········enabled="yes" | ||
| 203 | ········state="started" | ||
| 204 | ······with_items: | ||
| 205 | ········-·crond | ||
| 206 | ······tags: | ||
| 207 | ········-·service_crond_enabled | ||
| 208 | ········-·medium_severity | ||
| 209 | ········-·enable_strategy | ||
| 210 | ········-·low_complexity | ||
| 211 | ········-·low_disruption | ||
| 212 | ········-·CCE-27070-2 | ||
| 213 | ········-·NIST-800-53-CM-7 | ||
| 214 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 215 | ···· | ||
| 216 | ····-·name:·Disable·service·atd | ||
| 217 | ······service: | ||
| 218 | ········name="{{item}}" | ||
| 219 | ········enabled="no" | ||
| 220 | ········state="stopped" | ||
| 221 | ······register:·service_result | ||
| 222 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 223 | ······with_items: | ||
| Max diff block lines reached; 102912/107604 bytes (95.64%) of diff not shown. | |||
| Offset 31, 43 lines modified | Offset 31, 43 lines modified | ||
| 31 | ·······assert: | 31 | ·······assert: |
| 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 33 | ·········msg:·> | 33 | ·········msg:·> |
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······var_auditd_max_log_file:·6 | ||
| 39 | ······var_auditd_admin_space_left_action:·single | ||
| 40 | ······var_auditd_max_log_file_action:·rotate | ||
| 38 | ······rsyslog_remote_loghost_address:·None | 41 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 44 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 51 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_c | 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 54 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 52 | ······var_selinux_policy_name:·targeted | 55 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 56 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 57 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | 58 | ······var_accounts_minimum_age_login_defs:·7 |
| 59 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 60 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 61 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 62 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 63 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 64 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 65 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 66 | ······var_accounts_tmout:·600 |
| 64 | ······var_auditd_max_log_file:·6 | ||
| 65 | ······var_auditd_admin_space_left_action:·single | ||
| 66 | ······var_auditd_max_log_file_action:·rotate | ||
| 67 | ······var_removable_partition:·/dev/cdrom | 67 | ······var_removable_partition:·/dev/cdrom |
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Disable·service·vsftpd | 69 | ····-·name:·Disable·service·vsftpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="no" | 72 | ········enabled="no" |
| 73 | ········state="stopped" | 73 | ········state="stopped" |
| Offset 128, 47 lines modified | Offset 128, 14 lines modified | ||
| 128 | ········-·unknown_severity | 128 | ········-·unknown_severity |
| 129 | ········-·disable_strategy | 129 | ········-·disable_strategy |
| 130 | ········-·low_complexity | 130 | ········-·low_complexity |
| 131 | ········-·low_disruption | 131 | ········-·low_disruption |
| 132 | ········-·CCE-27133-8 | 132 | ········-·CCE-27133-8 |
| 133 | ········-·NIST-800-53-CM-7 | 133 | ········-·NIST-800-53-CM-7 |
| 134 | ···· | 134 | ···· |
| 135 | ····-·name:·Ensure·dhcp·is·removed | ||
| 136 | ······package: | ||
| 137 | ········name="{{item}}" | ||
| 138 | ········state=absent | ||
| 139 | ······with_items: | ||
| 140 | ········-·dhcp | ||
| 141 | ······tags: | ||
| 142 | ········-·package_dhcp_removed | ||
| 143 | ········-·medium_severity | ||
| 144 | ········-·disable_strategy | ||
| 145 | ········-·low_complexity | ||
| 146 | ········-·low_disruption | ||
| 147 | ········-·CCE-27120-5 | ||
| 148 | ········-·NIST-800-53-CM-7 | ||
| 149 | ···· | ||
| 150 | ····-·name:·Disable·service·dhcpd | ||
| 151 | ······service: | ||
| 152 | ········name="{{item}}" | ||
| 153 | ········enabled="no" | ||
| 154 | ········state="stopped" | ||
| 155 | ······register:·service_result | ||
| 156 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 157 | ······with_items: | ||
| 158 | ········-·dhcpd | ||
| 159 | ······tags: | ||
| 160 | ········-·service_dhcpd_disabled | ||
| 161 | ········-·medium_severity | ||
| 162 | ········-·disable_strategy | ||
| 163 | ········-·low_complexity | ||
| 164 | ········-·low_disruption | ||
| 165 | ········-·CCE-27074-4 | ||
| 166 | ········-·NIST-800-53-CM-7 | ||
| 167 | ···· | ||
| 168 | ····-·name:·Enable·service·ntpd | 135 | ····-·name:·Enable·service·ntpd |
| 169 | ······service: | 136 | ······service: |
| 170 | ········name="{{item}}" | 137 | ········name="{{item}}" |
| 171 | ········enabled="yes" | 138 | ········enabled="yes" |
| 172 | ········state="started" | 139 | ········state="started" |
| 173 | ······with_items: | 140 | ······with_items: |
| 174 | ········-·ntpd | 141 | ········-·ntpd |
| Offset 210, 50 lines modified | Offset 177, 14 lines modified | ||
| 210 | ········-·service_snmpd_disabled | 177 | ········-·service_snmpd_disabled |
| 211 | ········-·unknown_severity | 178 | ········-·unknown_severity |
| 212 | ········-·disable_strategy | 179 | ········-·disable_strategy |
| 213 | ········-·low_complexity | 180 | ········-·low_complexity |
| 214 | ········-·low_disruption | 181 | ········-·low_disruption |
| 215 | ········-·CCE-26906-8 | 182 | ········-·CCE-26906-8 |
| 216 | ···· | 183 | ···· |
| 217 | ····-·name:·Enable·service·crond | ||
| 218 | ······service: | ||
| 219 | ········name="{{item}}" | ||
| 220 | ········enabled="yes" | ||
| 221 | ········state="started" | ||
| 222 | ······with_items: | ||
| 223 | ········-·crond | ||
| 224 | ······tags: | ||
| 225 | ········-·service_crond_enabled | ||
| 226 | ········-·medium_severity | ||
| 227 | ········-·enable_strategy | ||
| 228 | ········-·low_complexity | ||
| 229 | ········-·low_disruption | ||
| 230 | ········-·CCE-27070-2 | ||
| 231 | ········-·NIST-800-53-CM-7 | ||
| 232 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 233 | ···· | ||
| 234 | ····-·name:·Disable·service·atd | ||
| 235 | ······service: | ||
| 236 | ········name="{{item}}" | ||
| 237 | ········enabled="no" | ||
| 238 | ········state="stopped" | ||
| Max diff block lines reached; 120474/125324 bytes (96.13%) of diff not shown. | |||
| Offset 29, 46 lines modified | Offset 29, 46 lines modified | ||
| 29 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. | 29 | ·····-·name:·Verify·Ansible·meets·SCAP-Security-Guide·version·requirements. |
| 30 | ·······assert: | 30 | ·······assert: |
| 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······var_auditd_max_log_file:·1 | ||
| 37 | ······var_auditd_action_mail_acct:·admin | ||
| 38 | ······var_auditd_space_left_action:·suspend | ||
| 39 | ······var_auditd_admin_space_left_action:·halt | ||
| 40 | ······var_auditd_max_log_file_action:·ignore | ||
| 36 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 41 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 37 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 38 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 39 | ······sysctl_net_ipv4_icmp_ | 44 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 45 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 47 | ······sysctl_net_ipv4_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 48 | ······sysctl_net_ipv4_c | 52 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 53 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 49 | ······var_selinux_policy_name:·targeted | 54 | ······var_selinux_policy_name:·targeted |
| 50 | ······var_selinux_state:·enforcing | 55 | ······var_selinux_state:·enforcing |
| 51 | ······var_accounts_password_minlen_login_defs:·12 | 56 | ······var_accounts_password_minlen_login_defs:·12 |
| 52 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 53 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 54 | ······var_accounts_minimum_age_login_defs:·1 | 57 | ······var_accounts_minimum_age_login_defs:·1 |
| 58 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 59 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 55 | ······var_account_disable_post_pw_expiration:·90 | 60 | ······var_account_disable_post_pw_expiration:·90 |
| 56 | ······var_password_pam_unix_remember:·24 | 61 | ······var_password_pam_unix_remember:·24 |
| 57 | ······var_accounts_passwords_pam_faillock_deny:·3 | 62 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 58 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 63 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 59 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 64 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 60 | ······var_password_pam_maxrepeat:·3 | 65 | ······var_password_pam_maxrepeat:·3 |
| 61 | ······var_password_pam_retry:·3 | 66 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_max_concurrent_login_sessions:·1 | 67 | ······var_accounts_max_concurrent_login_sessions:·1 |
| 63 | ······var_auditd_action_mail_acct:·admin | ||
| 64 | ······var_auditd_max_log_file:·1 | ||
| 65 | ······var_auditd_space_left_action:·suspend | ||
| 66 | ······var_auditd_admin_space_left_action:·halt | ||
| 67 | ······var_auditd_max_log_file_action:·ignore | ||
| 68 | ······var_removable_partition:·/dev/cdrom | 68 | ······var_removable_partition:·/dev/cdrom |
| 69 | ······var_removable_partition:·/dev/cdrom | 69 | ······var_removable_partition:·/dev/cdrom |
| 70 | ······var_removable_partition:·/dev/cdrom | 70 | ······var_removable_partition:·/dev/cdrom |
| 71 | ···tasks: | 71 | ···tasks: |
| 72 | ····-·name:·Enable·service·ntpd | 72 | ····-·name:·Enable·service·ntpd |
| 73 | ······service: | 73 | ······service: |
| 74 | ········name="{{item}}" | 74 | ········name="{{item}}" |
| Offset 83, 50 lines modified | Offset 83, 14 lines modified | ||
| 83 | ········-·low_complexity | 83 | ········-·low_complexity |
| 84 | ········-·low_disruption | 84 | ········-·low_disruption |
| 85 | ········-·CCE-27093-4 | 85 | ········-·CCE-27093-4 |
| 86 | ········-·NIST-800-53-AU-8(1) | 86 | ········-·NIST-800-53-AU-8(1) |
| 87 | ········-·PCI-DSS-Req-10.4 | 87 | ········-·PCI-DSS-Req-10.4 |
| 88 | ········-·DISA-STIG-RHEL-06-000247 | 88 | ········-·DISA-STIG-RHEL-06-000247 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·Enable·service·crond | ||
| 91 | ······service: | ||
| 92 | ········name="{{item}}" | ||
| 93 | ········enabled="yes" | ||
| 94 | ········state="started" | ||
| 95 | ······with_items: | ||
| 96 | ········-·crond | ||
| 97 | ······tags: | ||
| 98 | ········-·service_crond_enabled | ||
| 99 | ········-·medium_severity | ||
| 100 | ········-·enable_strategy | ||
| 101 | ········-·low_complexity | ||
| 102 | ········-·low_disruption | ||
| 103 | ········-·CCE-27070-2 | ||
| 104 | ········-·NIST-800-53-CM-7 | ||
| 105 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 106 | ···· | ||
| 107 | ····-·name:·Disable·service·atd | ||
| 108 | ······service: | ||
| 109 | ········name="{{item}}" | ||
| 110 | ········enabled="no" | ||
| 111 | ········state="stopped" | ||
| 112 | ······register:·service_result | ||
| 113 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 114 | ······with_items: | ||
| 115 | ········-·atd | ||
| 116 | ······tags: | ||
| 117 | ········-·service_atd_disabled | ||
| 118 | ········-·unknown_severity | ||
| 119 | ········-·disable_strategy | ||
| 120 | ········-·low_complexity | ||
| 121 | ········-·low_disruption | ||
| 122 | ········-·CCE-27249-2 | ||
| 123 | ········-·NIST-800-53-CM-7 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 125 | ···· | ||
| 126 | ····-·name:·Ensure·rsh·is·removed | 90 | ····-·name:·Ensure·rsh·is·removed |
| 127 | ······package: | 91 | ······package: |
| 128 | ········name="{{item}}" | 92 | ········name="{{item}}" |
| 129 | ········state=absent | 93 | ········state=absent |
| 130 | ······with_items: | 94 | ······with_items: |
| 131 | ········-·rsh | 95 | ········-·rsh |
| 132 | ······tags: | 96 | ······tags: |
| Offset 279, 30 lines modified | Offset 243, 66 lines modified | ||
| 279 | ········-·disable_strategy | 243 | ········-·disable_strategy |
| 280 | ········-·low_complexity | 244 | ········-·low_complexity |
| 281 | ········-·low_disruption | 245 | ········-·low_disruption |
| 282 | ········-·CCE-27005-8 | 246 | ········-·CCE-27005-8 |
| 283 | ········-·NIST-800-53-CM-7 | 247 | ········-·NIST-800-53-CM-7 |
| 284 | ········-·DISA-STIG-RHEL-06-000204 | 248 | ········-·DISA-STIG-RHEL-06-000204 |
| 285 | ···· | 249 | ···· |
| 286 | ····-·name:· | 250 | ····-·name:·Enable·service·crond |
| 251 | ······service: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········enabled="yes" | ||
| 254 | ········state="started" | ||
| 255 | ······with_items: | ||
| 256 | ········-·crond | ||
| 257 | ······tags: | ||
| 258 | ········-·service_crond_enabled | ||
| 259 | ········-·medium_severity | ||
| 260 | ········-·enable_strategy | ||
| 261 | ········-·low_complexity | ||
| 262 | ········-·low_disruption | ||
| 263 | ········-·CCE-27070-2 | ||
| Max diff block lines reached; 114846/119591 bytes (96.03%) of diff not shown. | |||
| Offset 30, 43 lines modified | Offset 30, 43 lines modified | ||
| 30 | ·······assert: | 30 | ·······assert: |
| 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······var_auditd_max_log_file:·6 | ||
| 38 | ······var_auditd_admin_space_left_action:·single | ||
| 39 | ······var_auditd_max_log_file_action:·rotate | ||
| 37 | ······rsyslog_remote_loghost_address:·None | 40 | ······rsyslog_remote_loghost_address:·None |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 43 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 45 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_ | 47 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 50 | ······sysctl_net_ipv4_c | 52 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 53 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 51 | ······var_selinux_policy_name:·targeted | 54 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 55 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·15 | 56 | ······var_accounts_password_minlen_login_defs:·15 |
| 54 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·7 | 57 | ······var_accounts_minimum_age_login_defs:·7 |
| 58 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 59 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_password_pam_unix_remember:·5 | 60 | ······var_password_pam_unix_remember:·5 |
| 58 | ······var_accounts_passwords_pam_faillock_deny:·3 | 61 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 59 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 62 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 60 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 63 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 61 | ······var_password_pam_retry:·3 | 64 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_tmout:·600 | 65 | ······var_accounts_tmout:·600 |
| 63 | ······var_auditd_max_log_file:·6 | ||
| 64 | ······var_auditd_admin_space_left_action:·single | ||
| 65 | ······var_auditd_max_log_file_action:·rotate | ||
| 66 | ······var_removable_partition:·/dev/cdrom | 66 | ······var_removable_partition:·/dev/cdrom |
| 67 | ···tasks: | 67 | ···tasks: |
| 68 | ····-·name:·Ensure·vsftpd·is·installed | 68 | ····-·name:·Ensure·vsftpd·is·installed |
| 69 | ······package: | 69 | ······package: |
| 70 | ········name="{{item}}" | 70 | ········name="{{item}}" |
| 71 | ········state=present | 71 | ········state=present |
| 72 | ······with_items: | 72 | ······with_items: |
| Offset 94, 65 lines modified | Offset 94, 14 lines modified | ||
| 94 | ········-·low_complexity | 94 | ········-·low_complexity |
| 95 | ········-·low_disruption | 95 | ········-·low_disruption |
| 96 | ········-·CCE-27093-4 | 96 | ········-·CCE-27093-4 |
| 97 | ········-·NIST-800-53-AU-8(1) | 97 | ········-·NIST-800-53-AU-8(1) |
| 98 | ········-·PCI-DSS-Req-10.4 | 98 | ········-·PCI-DSS-Req-10.4 |
| 99 | ········-·DISA-STIG-RHEL-06-000247 | 99 | ········-·DISA-STIG-RHEL-06-000247 |
| 100 | ···· | 100 | ···· |
| 101 | ····-·name:·Enable·service·crond | ||
| 102 | ······service: | ||
| 103 | ········name="{{item}}" | ||
| 104 | ········enabled="yes" | ||
| 105 | ········state="started" | ||
| 106 | ······with_items: | ||
| 107 | ········-·crond | ||
| 108 | ······tags: | ||
| 109 | ········-·service_crond_enabled | ||
| 110 | ········-·medium_severity | ||
| 111 | ········-·enable_strategy | ||
| 112 | ········-·low_complexity | ||
| 113 | ········-·low_disruption | ||
| 114 | ········-·CCE-27070-2 | ||
| 115 | ········-·NIST-800-53-CM-7 | ||
| 116 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 117 | ···· | ||
| 118 | ····-·name:·Disable·service·atd | ||
| 119 | ······service: | ||
| 120 | ········name="{{item}}" | ||
| 121 | ········enabled="no" | ||
| 122 | ········state="stopped" | ||
| 123 | ······register:·service_result | ||
| 124 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 125 | ······with_items: | ||
| 126 | ········-·atd | ||
| 127 | ······tags: | ||
| 128 | ········-·service_atd_disabled | ||
| 129 | ········-·unknown_severity | ||
| 130 | ········-·disable_strategy | ||
| 131 | ········-·low_complexity | ||
| 132 | ········-·low_disruption | ||
| 133 | ········-·CCE-27249-2 | ||
| 134 | ········-·NIST-800-53-CM-7 | ||
| 135 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 136 | ···· | ||
| 137 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 138 | ······package: | ||
| 139 | ········name="{{item}}" | ||
| 140 | ········state=absent | ||
| 141 | ······with_items: | ||
| 142 | ········-·xorg-x11-server-common | ||
| 143 | ······tags: | ||
| 144 | ········-·package_xorg-x11-server-common_removed | ||
| 145 | ········-·unknown_severity | ||
| 146 | ········-·disable_strategy | ||
| 147 | ········-·low_complexity | ||
| 148 | ········-·low_disruption | ||
| 149 | ········-·CCE-27198-1 | ||
| 150 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 151 | ···· | ||
| 152 | ····-·name:·Ensure·rsh-server·is·removed | 101 | ····-·name:·Ensure·rsh-server·is·removed |
| 153 | ······package: | 102 | ······package: |
| 154 | ········name="{{item}}" | 103 | ········name="{{item}}" |
| 155 | ········state=absent | 104 | ········state=absent |
| 156 | ······with_items: | 105 | ······with_items: |
| 157 | ········-·rsh-server | 106 | ········-·rsh-server |
| 158 | ······tags: | 107 | ······tags: |
| Offset 307, 14 lines modified | Offset 256, 81 lines modified | ||
| 307 | ········-·disable_strategy | 256 | ········-·disable_strategy |
| 308 | ········-·low_complexity | 257 | ········-·low_complexity |
| 309 | ········-·low_disruption | 258 | ········-·low_disruption |
| 310 | ········-·CCE-27005-8 | 259 | ········-·CCE-27005-8 |
| 311 | ········-·NIST-800-53-CM-7 | 260 | ········-·NIST-800-53-CM-7 |
| 312 | ········-·DISA-STIG-RHEL-06-000204 | 261 | ········-·DISA-STIG-RHEL-06-000204 |
| 313 | ···· | 262 | ···· |
| 263 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 264 | ······package: | ||
| 265 | ········name="{{item}}" | ||
| 266 | ········state=absent | ||
| Max diff block lines reached; 103453/109628 bytes (94.37%) of diff not shown. | |||
| Offset 34, 47 lines modified | Offset 34, 47 lines modified | ||
| 34 | ·······assert: | 34 | ·······assert: |
| 35 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 35 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 36 | ·········msg:·> | 36 | ·········msg:·> |
| 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·300 | 40 | ······sshd_idle_timeout_value:·300 |
| 41 | ······var_auditd_max_log_file:·6 | ||
| 42 | ······var_auditd_action_mail_acct:·admin | ||
| 43 | ······var_auditd_space_left_action:·suspend | ||
| 44 | ······var_auditd_admin_space_left_action:·single | ||
| 45 | ······var_auditd_max_log_file_action:·rotate | ||
| 41 | ······rsyslog_remote_loghost_address:·None | 46 | ······rsyslog_remote_loghost_address:·None |
| 42 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_ | 54 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 55 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 56 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 57 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 54 | ······sysctl_net_ipv4_ | 58 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 55 | ······sysctl_net_ipv4_c | 59 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 60 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 56 | ······var_selinux_policy_name:·targeted | 61 | ······var_selinux_policy_name:·targeted |
| 57 | ······var_selinux_state:·enforcing | 62 | ······var_selinux_state:·enforcing |
| 58 | ······var_accounts_password_minlen_login_defs:·15 | 63 | ······var_accounts_password_minlen_login_defs:·15 |
| 59 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_minimum_age_login_defs:·7 | 64 | ······var_accounts_minimum_age_login_defs:·7 |
| 65 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 66 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 62 | ······var_account_disable_post_pw_expiration:·40 | 67 | ······var_account_disable_post_pw_expiration:·40 |
| 63 | ······var_password_pam_unix_remember:·5 | 68 | ······var_password_pam_unix_remember:·5 |
| 64 | ······var_accounts_passwords_pam_faillock_deny:·3 | 69 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 65 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 | 70 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 |
| 66 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 71 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 67 | ······var_password_pam_retry:·3 | 72 | ······var_password_pam_retry:·3 |
| 68 | ······var_accounts_tmout:·600 | 73 | ······var_accounts_tmout:·600 |
| 69 | ······var_auditd_action_mail_acct:·admin | ||
| 70 | ······var_auditd_max_log_file:·6 | ||
| 71 | ······var_auditd_space_left_action:·suspend | ||
| 72 | ······var_auditd_admin_space_left_action:·single | ||
| 73 | ······var_auditd_max_log_file_action:·rotate | ||
| 74 | ······var_removable_partition:·/dev/cdrom | 74 | ······var_removable_partition:·/dev/cdrom |
| 75 | ······var_removable_partition:·/dev/cdrom | 75 | ······var_removable_partition:·/dev/cdrom |
| 76 | ······var_removable_partition:·/dev/cdrom | 76 | ······var_removable_partition:·/dev/cdrom |
| 77 | ···tasks: | 77 | ···tasks: |
| 78 | ····-·name:·Ensure·vsftpd·is·removed | 78 | ····-·name:·Ensure·vsftpd·is·removed |
| 79 | ······package: | 79 | ······package: |
| 80 | ········name="{{item}}" | 80 | ········name="{{item}}" |
| Offset 119, 47 lines modified | Offset 119, 14 lines modified | ||
| 119 | ········-·unknown_severity | 119 | ········-·unknown_severity |
| 120 | ········-·disable_strategy | 120 | ········-·disable_strategy |
| 121 | ········-·low_complexity | 121 | ········-·low_complexity |
| 122 | ········-·low_disruption | 122 | ········-·low_disruption |
| 123 | ········-·CCE-27133-8 | 123 | ········-·CCE-27133-8 |
| 124 | ········-·NIST-800-53-CM-7 | 124 | ········-·NIST-800-53-CM-7 |
| 125 | ···· | 125 | ···· |
| 126 | ····-·name:·Ensure·dhcp·is·removed | ||
| 127 | ······package: | ||
| 128 | ········name="{{item}}" | ||
| 129 | ········state=absent | ||
| 130 | ······with_items: | ||
| 131 | ········-·dhcp | ||
| 132 | ······tags: | ||
| 133 | ········-·package_dhcp_removed | ||
| 134 | ········-·medium_severity | ||
| 135 | ········-·disable_strategy | ||
| 136 | ········-·low_complexity | ||
| 137 | ········-·low_disruption | ||
| 138 | ········-·CCE-27120-5 | ||
| 139 | ········-·NIST-800-53-CM-7 | ||
| 140 | ···· | ||
| 141 | ····-·name:·Disable·service·dhcpd | ||
| 142 | ······service: | ||
| 143 | ········name="{{item}}" | ||
| 144 | ········enabled="no" | ||
| 145 | ········state="stopped" | ||
| 146 | ······register:·service_result | ||
| 147 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 148 | ······with_items: | ||
| 149 | ········-·dhcpd | ||
| 150 | ······tags: | ||
| 151 | ········-·service_dhcpd_disabled | ||
| 152 | ········-·medium_severity | ||
| 153 | ········-·disable_strategy | ||
| 154 | ········-·low_complexity | ||
| 155 | ········-·low_disruption | ||
| 156 | ········-·CCE-27074-4 | ||
| 157 | ········-·NIST-800-53-CM-7 | ||
| 158 | ···· | ||
| 159 | ····-·name:·Enable·service·ntpd | 126 | ····-·name:·Enable·service·ntpd |
| 160 | ······service: | 127 | ······service: |
| 161 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 162 | ········enabled="yes" | 129 | ········enabled="yes" |
| 163 | ········state="started" | 130 | ········state="started" |
| 164 | ······with_items: | 131 | ······with_items: |
| 165 | ········-·ntpd | 132 | ········-·ntpd |
| Offset 188, 50 lines modified | Offset 155, 14 lines modified | ||
| 188 | ········-·unknown_severity | 155 | ········-·unknown_severity |
| 189 | ········-·disable_strategy | 156 | ········-·disable_strategy |
| 190 | ········-·low_complexity | 157 | ········-·low_complexity |
| 191 | ········-·low_disruption | 158 | ········-·low_disruption |
| 192 | ········-·CCE-26899-5 | 159 | ········-·CCE-26899-5 |
| 193 | ········-·NIST-800-53-CM-7 | 160 | ········-·NIST-800-53-CM-7 |
| 194 | ···· | 161 | ···· |
| 195 | ····-·name:·Enable·service·crond | ||
| 196 | ······service: | ||
| 197 | ········name="{{item}}" | ||
| 198 | ········enabled="yes" | ||
| 199 | ········state="started" | ||
| 200 | ······with_items: | ||
| 201 | ········-·crond | ||
| 202 | ······tags: | ||
| 203 | ········-·service_crond_enabled | ||
| 204 | ········-·medium_severity | ||
| 205 | ········-·enable_strategy | ||
| 206 | ········-·low_complexity | ||
| 207 | ········-·low_disruption | ||
| 208 | ········-·CCE-27070-2 | ||
| 209 | ········-·NIST-800-53-CM-7 | ||
| 210 | ········-·DISA-STIG-RHEL-06-000224 | ||
| Max diff block lines reached; 142180/147328 bytes (96.51%) of diff not shown. | |||
| Offset 30, 26 lines modified | Offset 30, 26 lines modified | ||
| 30 | ·······assert: | 30 | ·······assert: |
| 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 31 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·900 | 36 | ······sshd_idle_timeout_value:·900 |
| 37 | ······var_auditd_max_log_file:·1 | ||
| 38 | ······var_auditd_action_mail_acct:·admin | ||
| 39 | ······var_auditd_space_left_action:·suspend | ||
| 40 | ······var_auditd_admin_space_left_action:·suspend | ||
| 41 | ······var_auditd_max_log_file_action:·ignore | ||
| 37 | ······var_accounts_maximum_age_login_defs:·90 | 42 | ······var_accounts_maximum_age_login_defs:·90 |
| 38 | ······var_account_disable_post_pw_expiration:·90 | 43 | ······var_account_disable_post_pw_expiration:·90 |
| 39 | ······var_password_pam_unix_remember:·4 | 44 | ······var_password_pam_unix_remember:·4 |
| 40 | ······var_accounts_passwords_pam_faillock_deny:·6 | 45 | ······var_accounts_passwords_pam_faillock_deny:·6 |
| 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 | 46 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 |
| 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 47 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 43 | ······var_password_pam_minlen:·7 | 48 | ······var_password_pam_minlen:·7 |
| 44 | ······var_auditd_action_mail_acct:·admin | ||
| 45 | ······var_auditd_max_log_file:·1 | ||
| 46 | ······var_auditd_space_left_action:·suspend | ||
| 47 | ······var_auditd_admin_space_left_action:·suspend | ||
| 48 | ······var_auditd_max_log_file_action:·ignore | ||
| 49 | ···tasks: | 49 | ···tasks: |
| 50 | ····-·name:·Enable·service·ntpd | 50 | ····-·name:·Enable·service·ntpd |
| 51 | ······service: | 51 | ······service: |
| 52 | ········name="{{item}}" | 52 | ········name="{{item}}" |
| 53 | ········enabled="yes" | 53 | ········enabled="yes" |
| 54 | ········state="started" | 54 | ········state="started" |
| 55 | ······with_items: | 55 | ······with_items: |
| Offset 83, 723 lines modified | Offset 83, 34 lines modified | ||
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-26919-1 | 84 | ········-·CCE-26919-1 |
| 85 | ········-·NIST-800-53-AC-2(5) | 85 | ········-·NIST-800-53-AC-2(5) |
| 86 | ········-·NIST-800-53-SA-8 | 86 | ········-·NIST-800-53-SA-8 |
| 87 | ········-·PCI-DSS-Req-8.1.8 | 87 | ········-·PCI-DSS-Req-8.1.8 |
| 88 | ········-·DISA-STIG-RHEL-06-000230 | 88 | ········-·DISA-STIG-RHEL-06-000230 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·"Read·list·of·files·with·incorrect·permissions" | ||
| 91 | ······shell:·"rpm·-Va·|·grep·'^.M'·|·cut·-d·'·'·-f5-·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 92 | ······register:·files_with_incorrect_permissions | ||
| 93 | ······failed_when:·False | ||
| 94 | ······changed_when:·False | ||
| 95 | ······check_mode:·no | ||
| 96 | ······tags: | ||
| 97 | ········-·rpm_verify_permissions | ||
| 98 | ········-·unknown_severity | ||
| 99 | ········-·restrict_strategy | ||
| 100 | ········-·high_complexity | ||
| 101 | ········-·medium_disruption | ||
| 102 | ········-·CCE-26731-0 | ||
| 103 | ········-·NIST-800-53-AC-6 | ||
| 104 | ········-·NIST-800-53-CM-6(d) | ||
| 105 | ········-·NIST-800-53-SI-7 | ||
| 106 | ········-·PCI-DSS-Req-11.5 | ||
| 107 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 108 | ···· | ||
| 109 | ····-·name:·"Correct·file·permissions·with·RPM" | ||
| 110 | ······shell:·"rpm·--setperms·$(rpm·-qf·'{{item}}')" | ||
| 111 | ······with_items:·"{{·files_with_incorrect_permissions.stdout_lines·}}" | ||
| 112 | ······when:·files_with_incorrect_permissions.stdout_lines·|·length·>·0 | ||
| 113 | ······tags: | ||
| 114 | ········-·rpm_verify_permissions | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·restrict_strategy | ||
| 117 | ········-·high_complexity | ||
| 118 | ········-·medium_disruption | ||
| 119 | ········-·CCE-26731-0 | ||
| 120 | ········-·NIST-800-53-AC-6 | ||
| 121 | ········-·NIST-800-53-CM-6(d) | ||
| 122 | ········-·NIST-800-53-SI-7 | ||
| 123 | ········-·PCI-DSS-Req-11.5 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 125 | ···· | ||
| 126 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(dnf)" | ||
| 127 | ······set_fact: | ||
| 128 | ········package_manager_reinstall_cmd:·dnf·reinstall·-y | ||
| 129 | ······when:·ansible_distribution·==·"Fedora" | ||
| 130 | ······tags: | ||
| 131 | ········-·rpm_verify_hashes | ||
| 132 | ········-·unknown_severity | ||
| 133 | ········-·unknown_strategy | ||
| 134 | ········-·high_complexity | ||
| 135 | ········-·medium_disruption | ||
| 136 | ········-·CCE-27223-7 | ||
| 137 | ········-·NIST-800-53-CM-6(d) | ||
| 138 | ········-·NIST-800-53-SI-7 | ||
| 139 | ········-·PCI-DSS-Req-11.5 | ||
| 140 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 141 | ···· | ||
| 142 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(yum)" | ||
| 143 | ······set_fact: | ||
| 144 | ········package_manager_reinstall_cmd:·yum·reinstall·-y | ||
| 145 | ······when:·ansible_distribution·==·"RedHat"·or·ansible_distribution·==·"OracleLinux" | ||
| 146 | ······tags: | ||
| 147 | ········-·rpm_verify_hashes | ||
| 148 | ········-·unknown_severity | ||
| 149 | ········-·unknown_strategy | ||
| 150 | ········-·high_complexity | ||
| 151 | ········-·medium_disruption | ||
| 152 | ········-·CCE-27223-7 | ||
| 153 | ········-·NIST-800-53-CM-6(d) | ||
| 154 | ········-·NIST-800-53-SI-7 | ||
| 155 | ········-·PCI-DSS-Req-11.5 | ||
| 156 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 157 | ···· | ||
| 158 | ····-·name:·"Read·files·with·incorrect·hash" | ||
| 159 | ······shell:·"rpm·-Va·|·grep·-E·'^..5.*·/(bin|sbin|lib|lib64|usr)/'·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 160 | ······register:·files_with_incorrect_hash | ||
| 161 | ······changed_when:·False | ||
| 162 | ······when:·package_manager_reinstall_cmd·is·defined | ||
| 163 | ······check_mode:·no | ||
| 164 | ······tags: | ||
| 165 | ········-·rpm_verify_hashes | ||
| 166 | ········-·unknown_severity | ||
| 167 | ········-·unknown_strategy | ||
| 168 | ········-·high_complexity | ||
| 169 | ········-·medium_disruption | ||
| 170 | ········-·CCE-27223-7 | ||
| 171 | ········-·NIST-800-53-CM-6(d) | ||
| 172 | ········-·NIST-800-53-SI-7 | ||
| 173 | ········-·PCI-DSS-Req-11.5 | ||
| 174 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 175 | ···· | ||
| 176 | ····-·name:·"Reinstall·packages·of·files·with·incorrect·hash" | ||
| 177 | ······shell:·"{{package_manager_reinstall_cmd}}·$(rpm·-qf·'{{item}}')" | ||
| Max diff block lines reached; 56106/71240 bytes (78.76%) of diff not shown. | |||
| Offset 33, 42 lines modified | Offset 33, 23 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······var_selinux_policy_name:·targeted | 37 | ······var_selinux_policy_name:·targeted |
| 38 | ······var_selinux_state:·enforcing | 38 | ······var_selinux_state:·enforcing |
| 39 | ······var_accounts_password_minlen_login_defs:·6 | 39 | ······var_accounts_password_minlen_login_defs:·6 |
| 40 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_minimum_age_login_defs:·7 | 40 | ······var_accounts_minimum_age_login_defs:·7 |
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 43 | ······var_password_pam_unix_remember:·5 | 43 | ······var_password_pam_unix_remember:·5 |
| 44 | ······var_accounts_passwords_pam_faillock_deny:·5 | 44 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 47 | ······var_password_pam_retry:·3 | 47 | ······var_password_pam_retry:·3 |
| 48 | ···tasks: | 48 | ···tasks: |
| 49 | ····-·name:·Disable·service·atd | ||
| 50 | ······service: | ||
| 51 | ········name="{{item}}" | ||
| 52 | ········enabled="no" | ||
| 53 | ········state="stopped" | ||
| 54 | ······register:·service_result | ||
| 55 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 56 | ······with_items: | ||
| 57 | ········-·atd | ||
| 58 | ······tags: | ||
| 59 | ········-·service_atd_disabled | ||
| 60 | ········-·unknown_severity | ||
| 61 | ········-·disable_strategy | ||
| 62 | ········-·low_complexity | ||
| 63 | ········-·low_disruption | ||
| 64 | ········-·CCE-27249-2 | ||
| 65 | ········-·NIST-800-53-CM-7 | ||
| 66 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 67 | ···· | ||
| 68 | ····-·name:·Ensure·rsh-server·is·removed | 49 | ····-·name:·Ensure·rsh-server·is·removed |
| 69 | ······package: | 50 | ······package: |
| 70 | ········name="{{item}}" | 51 | ········name="{{item}}" |
| 71 | ········state=absent | 52 | ········state=absent |
| 72 | ······with_items: | 53 | ······with_items: |
| 73 | ········-·rsh-server | 54 | ········-·rsh-server |
| 74 | ······tags: | 55 | ······tags: |
| Offset 198, 14 lines modified | Offset 179, 33 lines modified | ||
| 198 | ········-·disable_strategy | 179 | ········-·disable_strategy |
| 199 | ········-·low_complexity | 180 | ········-·low_complexity |
| 200 | ········-·low_disruption | 181 | ········-·low_disruption |
| 201 | ········-·CCE-27005-8 | 182 | ········-·CCE-27005-8 |
| 202 | ········-·NIST-800-53-CM-7 | 183 | ········-·NIST-800-53-CM-7 |
| 203 | ········-·DISA-STIG-RHEL-06-000204 | 184 | ········-·DISA-STIG-RHEL-06-000204 |
| 204 | ···· | 185 | ···· |
| 186 | ····-·name:·Disable·service·atd | ||
| 187 | ······service: | ||
| 188 | ········name="{{item}}" | ||
| 189 | ········enabled="no" | ||
| 190 | ········state="stopped" | ||
| 191 | ······register:·service_result | ||
| 192 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 193 | ······with_items: | ||
| 194 | ········-·atd | ||
| 195 | ······tags: | ||
| 196 | ········-·service_atd_disabled | ||
| 197 | ········-·unknown_severity | ||
| 198 | ········-·disable_strategy | ||
| 199 | ········-·low_complexity | ||
| 200 | ········-·low_disruption | ||
| 201 | ········-·CCE-27249-2 | ||
| 202 | ········-·NIST-800-53-CM-7 | ||
| 203 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 204 | ···· | ||
| 205 | ····-·name:·Disable·service·rdisc | 205 | ····-·name:·Disable·service·rdisc |
| 206 | ······service: | 206 | ······service: |
| 207 | ········name="{{item}}" | 207 | ········name="{{item}}" |
| 208 | ········enabled="no" | 208 | ········enabled="no" |
| 209 | ········state="stopped" | 209 | ········state="stopped" |
| 210 | ······register:·service_result | 210 | ······register:·service_result |
| 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 294, 14 lines modified | Offset 294, 33 lines modified | ||
| 294 | ········-·disable_strategy | 294 | ········-·disable_strategy |
| 295 | ········-·low_complexity | 295 | ········-·low_complexity |
| 296 | ········-·low_disruption | 296 | ········-·low_disruption |
| 297 | ········-·CCE-27256-7 | 297 | ········-·CCE-27256-7 |
| 298 | ········-·NIST-800-53-CM-7 | 298 | ········-·NIST-800-53-CM-7 |
| 299 | ········-·DISA-STIG-RHEL-06-000265 | 299 | ········-·DISA-STIG-RHEL-06-000265 |
| 300 | ···· | 300 | ···· |
| 301 | ····-·name:·Disable·service·avahi-daemon | ||
| 302 | ······service: | ||
| 303 | ········name="{{item}}" | ||
| 304 | ········enabled="no" | ||
| 305 | ········state="stopped" | ||
| 306 | ······register:·service_result | ||
| 307 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 308 | ······with_items: | ||
| 309 | ········-·avahi-daemon | ||
| 310 | ······tags: | ||
| 311 | ········-·service_avahi-daemon_disabled | ||
| 312 | ········-·unknown_severity | ||
| 313 | ········-·disable_strategy | ||
| 314 | ········-·low_complexity | ||
| 315 | ········-·low_disruption | ||
| 316 | ········-·CCE-27087-6 | ||
| 317 | ········-·NIST-800-53-CM-7 | ||
| 318 | ········-·DISA-STIG-RHEL-06-000246 | ||
| 319 | ···· | ||
| 301 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files | 320 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files |
| 302 | ······lineinfile: | 321 | ······lineinfile: |
| 303 | ········create:·yes | 322 | ········create:·yes |
| 304 | ········dest:·/etc/ssh/sshd_config | 323 | ········dest:·/etc/ssh/sshd_config |
| 305 | ········regexp:·^IgnoreRhosts | 324 | ········regexp:·^IgnoreRhosts |
| 306 | ········line:·IgnoreRhosts·yes | 325 | ········line:·IgnoreRhosts·yes |
| 307 | ········validate:·sshd·-t·-f·%s | 326 | ········validate:·sshd·-t·-f·%s |
| Offset 480, 219 lines modified | Offset 499, 14 lines modified | ||
| 480 | ········-·low_disruption | 499 | ········-·low_disruption |
| 481 | ········-·CCE-27100-7 | 500 | ········-·CCE-27100-7 |
| 482 | ········-·NIST-800-53-AC-3 | 501 | ········-·NIST-800-53-AC-3 |
| 483 | ········-·NIST-800-53-AC-6(2) | 502 | ········-·NIST-800-53-AC-6(2) |
| 484 | ········-·NIST-800-53-IA-2(1) | 503 | ········-·NIST-800-53-IA-2(1) |
| 485 | ········-·DISA-STIG-RHEL-06-000237 | 504 | ········-·DISA-STIG-RHEL-06-000237 |
| 486 | ···· | 505 | ···· |
| 487 | ····-·name:·Disable·service·avahi-daemon | ||
| 488 | ······service: | ||
| 489 | ········name="{{item}}" | ||
| 490 | ········enabled="no" | ||
| 491 | ········state="stopped" | ||
| 492 | ······register:·service_result | ||
| 493 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| Max diff block lines reached; 12595/22494 bytes (55.99%) of diff not shown. | |||
| Offset 31, 43 lines modified | Offset 31, 43 lines modified | ||
| 31 | ·······assert: | 31 | ·······assert: |
| 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 32 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 33 | ·········msg:·> | 33 | ·········msg:·> |
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······var_auditd_max_log_file:·6 | ||
| 39 | ······var_auditd_admin_space_left_action:·single | ||
| 40 | ······var_auditd_max_log_file_action:·rotate | ||
| 38 | ······rsyslog_remote_loghost_address:·None | 41 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 44 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 51 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_c | 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 54 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 52 | ······var_selinux_policy_name:·targeted | 55 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 56 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 57 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | 58 | ······var_accounts_minimum_age_login_defs:·7 |
| 59 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 60 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 61 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 62 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 63 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 64 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 65 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 66 | ······var_accounts_tmout:·600 |
| 64 | ······var_auditd_max_log_file:·6 | ||
| 65 | ······var_auditd_admin_space_left_action:·single | ||
| 66 | ······var_auditd_max_log_file_action:·rotate | ||
| 67 | ······var_removable_partition:·/dev/cdrom | 67 | ······var_removable_partition:·/dev/cdrom |
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Enable·service·ntpd | 69 | ····-·name:·Enable·service·ntpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="yes" | 72 | ········enabled="yes" |
| 73 | ········state="started" | 73 | ········state="started" |
| Offset 80, 65 lines modified | Offset 80, 14 lines modified | ||
| 80 | ········-·low_complexity | 80 | ········-·low_complexity |
| 81 | ········-·low_disruption | 81 | ········-·low_disruption |
| 82 | ········-·CCE-27093-4 | 82 | ········-·CCE-27093-4 |
| 83 | ········-·NIST-800-53-AU-8(1) | 83 | ········-·NIST-800-53-AU-8(1) |
| 84 | ········-·PCI-DSS-Req-10.4 | 84 | ········-·PCI-DSS-Req-10.4 |
| 85 | ········-·DISA-STIG-RHEL-06-000247 | 85 | ········-·DISA-STIG-RHEL-06-000247 |
| 86 | ···· | 86 | ···· |
| 87 | ····-·name:·Enable·service·crond | ||
| 88 | ······service: | ||
| 89 | ········name="{{item}}" | ||
| 90 | ········enabled="yes" | ||
| 91 | ········state="started" | ||
| 92 | ······with_items: | ||
| 93 | ········-·crond | ||
| 94 | ······tags: | ||
| 95 | ········-·service_crond_enabled | ||
| 96 | ········-·medium_severity | ||
| 97 | ········-·enable_strategy | ||
| 98 | ········-·low_complexity | ||
| 99 | ········-·low_disruption | ||
| 100 | ········-·CCE-27070-2 | ||
| 101 | ········-·NIST-800-53-CM-7 | ||
| 102 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 103 | ···· | ||
| 104 | ····-·name:·Disable·service·atd | ||
| 105 | ······service: | ||
| 106 | ········name="{{item}}" | ||
| 107 | ········enabled="no" | ||
| 108 | ········state="stopped" | ||
| 109 | ······register:·service_result | ||
| 110 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 111 | ······with_items: | ||
| 112 | ········-·atd | ||
| 113 | ······tags: | ||
| 114 | ········-·service_atd_disabled | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·disable_strategy | ||
| 117 | ········-·low_complexity | ||
| 118 | ········-·low_disruption | ||
| 119 | ········-·CCE-27249-2 | ||
| 120 | ········-·NIST-800-53-CM-7 | ||
| 121 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 122 | ···· | ||
| 123 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 124 | ······package: | ||
| 125 | ········name="{{item}}" | ||
| 126 | ········state=absent | ||
| 127 | ······with_items: | ||
| 128 | ········-·xorg-x11-server-common | ||
| 129 | ······tags: | ||
| 130 | ········-·package_xorg-x11-server-common_removed | ||
| 131 | ········-·unknown_severity | ||
| 132 | ········-·disable_strategy | ||
| 133 | ········-·low_complexity | ||
| 134 | ········-·low_disruption | ||
| 135 | ········-·CCE-27198-1 | ||
| 136 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 137 | ···· | ||
| 138 | ····-·name:·Ensure·rsh-server·is·removed | 87 | ····-·name:·Ensure·rsh-server·is·removed |
| 139 | ······package: | 88 | ······package: |
| 140 | ········name="{{item}}" | 89 | ········name="{{item}}" |
| 141 | ········state=absent | 90 | ········state=absent |
| 142 | ······with_items: | 91 | ······with_items: |
| 143 | ········-·rsh-server | 92 | ········-·rsh-server |
| 144 | ······tags: | 93 | ······tags: |
| Offset 293, 14 lines modified | Offset 242, 81 lines modified | ||
| 293 | ········-·disable_strategy | 242 | ········-·disable_strategy |
| 294 | ········-·low_complexity | 243 | ········-·low_complexity |
| 295 | ········-·low_disruption | 244 | ········-·low_disruption |
| 296 | ········-·CCE-27005-8 | 245 | ········-·CCE-27005-8 |
| 297 | ········-·NIST-800-53-CM-7 | 246 | ········-·NIST-800-53-CM-7 |
| 298 | ········-·DISA-STIG-RHEL-06-000204 | 247 | ········-·DISA-STIG-RHEL-06-000204 |
| 299 | ···· | 248 | ···· |
| 249 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 250 | ······package: | ||
| 251 | ········name="{{item}}" | ||
| 252 | ········state=absent | ||
| Max diff block lines reached; 103453/109627 bytes (94.37%) of diff not shown. | |||
| Offset 32, 43 lines modified | Offset 32, 43 lines modified | ||
| 32 | ·······assert: | 32 | ·······assert: |
| 33 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 33 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 34 | ·········msg:·> | 34 | ·········msg:·> |
| 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 36 | ·········· | 36 | ·········· |
| 37 | ···vars: | 37 | ···vars: |
| 38 | ······sshd_idle_timeout_value:·300 | 38 | ······sshd_idle_timeout_value:·300 |
| 39 | ······var_auditd_max_log_file:·6 | ||
| 40 | ······var_auditd_admin_space_left_action:·single | ||
| 41 | ······var_auditd_max_log_file_action:·rotate | ||
| 39 | ······rsyslog_remote_loghost_address:·None | 42 | ······rsyslog_remote_loghost_address:·None |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 45 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_ | 49 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 50 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 51 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 52 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_ | 53 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_c | 54 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 53 | ······var_selinux_policy_name:·targeted | 56 | ······var_selinux_policy_name:·targeted |
| 54 | ······var_selinux_state:·enforcing | 57 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·15 | 58 | ······var_accounts_password_minlen_login_defs:·15 |
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 57 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 58 | ······var_accounts_minimum_age_login_defs:·7 | 59 | ······var_accounts_minimum_age_login_defs:·7 |
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 59 | ······var_password_pam_unix_remember:·5 | 62 | ······var_password_pam_unix_remember:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_deny:·3 | 63 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 64 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 62 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 65 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 63 | ······var_password_pam_retry:·3 | 66 | ······var_password_pam_retry:·3 |
| 64 | ······var_accounts_tmout:·600 | 67 | ······var_accounts_tmout:·600 |
| 65 | ······var_auditd_max_log_file:·6 | ||
| 66 | ······var_auditd_admin_space_left_action:·single | ||
| 67 | ······var_auditd_max_log_file_action:·rotate | ||
| 68 | ······var_removable_partition:·/dev/cdrom | 68 | ······var_removable_partition:·/dev/cdrom |
| 69 | ···tasks: | 69 | ···tasks: |
| 70 | ····-·name:·Enable·service·ntpd | 70 | ····-·name:·Enable·service·ntpd |
| 71 | ······service: | 71 | ······service: |
| 72 | ········name="{{item}}" | 72 | ········name="{{item}}" |
| 73 | ········enabled="yes" | 73 | ········enabled="yes" |
| 74 | ········state="started" | 74 | ········state="started" |
| Offset 81, 50 lines modified | Offset 81, 14 lines modified | ||
| 81 | ········-·low_complexity | 81 | ········-·low_complexity |
| 82 | ········-·low_disruption | 82 | ········-·low_disruption |
| 83 | ········-·CCE-27093-4 | 83 | ········-·CCE-27093-4 |
| 84 | ········-·NIST-800-53-AU-8(1) | 84 | ········-·NIST-800-53-AU-8(1) |
| 85 | ········-·PCI-DSS-Req-10.4 | 85 | ········-·PCI-DSS-Req-10.4 |
| 86 | ········-·DISA-STIG-RHEL-06-000247 | 86 | ········-·DISA-STIG-RHEL-06-000247 |
| 87 | ···· | 87 | ···· |
| 88 | ····-·name:·Enable·service·crond | ||
| 89 | ······service: | ||
| 90 | ········name="{{item}}" | ||
| 91 | ········enabled="yes" | ||
| 92 | ········state="started" | ||
| 93 | ······with_items: | ||
| 94 | ········-·crond | ||
| 95 | ······tags: | ||
| 96 | ········-·service_crond_enabled | ||
| 97 | ········-·medium_severity | ||
| 98 | ········-·enable_strategy | ||
| 99 | ········-·low_complexity | ||
| 100 | ········-·low_disruption | ||
| 101 | ········-·CCE-27070-2 | ||
| 102 | ········-·NIST-800-53-CM-7 | ||
| 103 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 104 | ···· | ||
| 105 | ····-·name:·Disable·service·atd | ||
| 106 | ······service: | ||
| 107 | ········name="{{item}}" | ||
| 108 | ········enabled="no" | ||
| 109 | ········state="stopped" | ||
| 110 | ······register:·service_result | ||
| 111 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 112 | ······with_items: | ||
| 113 | ········-·atd | ||
| 114 | ······tags: | ||
| 115 | ········-·service_atd_disabled | ||
| 116 | ········-·unknown_severity | ||
| 117 | ········-·disable_strategy | ||
| 118 | ········-·low_complexity | ||
| 119 | ········-·low_disruption | ||
| 120 | ········-·CCE-27249-2 | ||
| 121 | ········-·NIST-800-53-CM-7 | ||
| 122 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 123 | ···· | ||
| 124 | ····-·name:·Ensure·rsh-server·is·removed | 88 | ····-·name:·Ensure·rsh-server·is·removed |
| 125 | ······package: | 89 | ······package: |
| 126 | ········name="{{item}}" | 90 | ········name="{{item}}" |
| 127 | ········state=absent | 91 | ········state=absent |
| 128 | ······with_items: | 92 | ······with_items: |
| 129 | ········-·rsh-server | 93 | ········-·rsh-server |
| 130 | ······tags: | 94 | ······tags: |
| Offset 279, 14 lines modified | Offset 243, 66 lines modified | ||
| 279 | ········-·disable_strategy | 243 | ········-·disable_strategy |
| 280 | ········-·low_complexity | 244 | ········-·low_complexity |
| 281 | ········-·low_disruption | 245 | ········-·low_disruption |
| 282 | ········-·CCE-27005-8 | 246 | ········-·CCE-27005-8 |
| 283 | ········-·NIST-800-53-CM-7 | 247 | ········-·NIST-800-53-CM-7 |
| 284 | ········-·DISA-STIG-RHEL-06-000204 | 248 | ········-·DISA-STIG-RHEL-06-000204 |
| 285 | ···· | 249 | ···· |
| 250 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 251 | ······package: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········state=absent | ||
| 254 | ······with_items: | ||
| 255 | ········-·openldap-servers | ||
| 256 | ······tags: | ||
| 257 | ········-·package_openldap-servers_removed | ||
| 258 | ········-·unknown_severity | ||
| 259 | ········-·disable_strategy | ||
| 260 | ········-·low_complexity | ||
| 261 | ········-·low_disruption | ||
| 262 | ········-·CCE-26858-1 | ||
| 263 | ········-·NIST-800-53-CM-7 | ||
| 264 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 265 | ···· | ||
| 266 | ····-·name:·Enable·service·crond | ||
| 267 | ······service: | ||
| 268 | ········name="{{item}}" | ||
| Max diff block lines reached; 103453/108815 bytes (95.07%) of diff not shown. | |||
| Offset 37, 49 lines modified | Offset 37, 49 lines modified | ||
| 37 | ·······assert: | 37 | ·······assert: |
| 38 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 38 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 39 | ·········msg:·> | 39 | ·········msg:·> |
| 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 41 | ·········· | 41 | ·········· |
| 42 | ···vars: | 42 | ···vars: |
| 43 | ······sshd_idle_timeout_value:·900 | 43 | ······sshd_idle_timeout_value:·900 |
| 44 | ······var_auditd_max_log_file:·6 | ||
| 45 | ······var_auditd_action_mail_acct:·admin | ||
| 46 | ······var_auditd_space_left_action:·suspend | ||
| 47 | ······var_auditd_admin_space_left_action:·single | ||
| 48 | ······var_auditd_max_log_file_action:·rotate | ||
| 44 | ······rsyslog_remote_loghost_address:·None | 49 | ······rsyslog_remote_loghost_address:·None |
| 45 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 50 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 51 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_icmp_ | 52 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 53 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 54 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 55 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_conf_ | 56 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 52 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 53 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 57 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 54 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 58 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 55 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 59 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_ | 60 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_c | 61 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 62 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 58 | ······var_selinux_policy_name:·targeted | 63 | ······var_selinux_policy_name:·targeted |
| 59 | ······var_selinux_state:·enforcing | 64 | ······var_selinux_state:·enforcing |
| 60 | ······var_accounts_password_minlen_login_defs:·15 | 65 | ······var_accounts_password_minlen_login_defs:·15 |
| 61 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 62 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 63 | ······var_accounts_minimum_age_login_defs:·1 | 66 | ······var_accounts_minimum_age_login_defs:·1 |
| 67 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 68 | ······var_accounts_password_warn_age_login_defs:·7 | ||
| 64 | ······var_account_disable_post_pw_expiration:·35 | 69 | ······var_account_disable_post_pw_expiration:·35 |
| 65 | ······var_password_pam_unix_remember:·5 | 70 | ······var_password_pam_unix_remember:·5 |
| 66 | ······var_accounts_passwords_pam_faillock_deny:·3 | 71 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 67 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 72 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 68 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 73 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 69 | ······var_password_pam_maxrepeat:·3 | 74 | ······var_password_pam_maxrepeat:·3 |
| 70 | ······var_password_pam_retry:·3 | 75 | ······var_password_pam_retry:·3 |
| 71 | ······var_accounts_user_umask:·077 | 76 | ······var_accounts_user_umask:·077 |
| 72 | ······var_accounts_tmout:·600 | 77 | ······var_accounts_tmout:·600 |
| 73 | ······var_accounts_max_concurrent_login_sessions:·10 | 78 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 74 | ······var_auditd_action_mail_acct:·admin | ||
| 75 | ······var_auditd_max_log_file:·6 | ||
| 76 | ······var_auditd_space_left_action:·suspend | ||
| 77 | ······var_auditd_admin_space_left_action:·single | ||
| 78 | ······var_auditd_max_log_file_action:·rotate | ||
| 79 | ······var_removable_partition:·/dev/cdrom | 79 | ······var_removable_partition:·/dev/cdrom |
| 80 | ······var_removable_partition:·/dev/cdrom | 80 | ······var_removable_partition:·/dev/cdrom |
| 81 | ······var_removable_partition:·/dev/cdrom | 81 | ······var_removable_partition:·/dev/cdrom |
| 82 | ···tasks: | 82 | ···tasks: |
| 83 | ····-·name:·Enable·service·ntpd | 83 | ····-·name:·Enable·service·ntpd |
| 84 | ······service: | 84 | ······service: |
| 85 | ········name="{{item}}" | 85 | ········name="{{item}}" |
| Offset 94, 65 lines modified | Offset 94, 14 lines modified | ||
| 94 | ········-·low_complexity | 94 | ········-·low_complexity |
| 95 | ········-·low_disruption | 95 | ········-·low_disruption |
| 96 | ········-·CCE-27093-4 | 96 | ········-·CCE-27093-4 |
| 97 | ········-·NIST-800-53-AU-8(1) | 97 | ········-·NIST-800-53-AU-8(1) |
| 98 | ········-·PCI-DSS-Req-10.4 | 98 | ········-·PCI-DSS-Req-10.4 |
| 99 | ········-·DISA-STIG-RHEL-06-000247 | 99 | ········-·DISA-STIG-RHEL-06-000247 |
| 100 | ···· | 100 | ···· |
| 101 | ····-·name:·Enable·service·crond | ||
| 102 | ······service: | ||
| 103 | ········name="{{item}}" | ||
| 104 | ········enabled="yes" | ||
| 105 | ········state="started" | ||
| 106 | ······with_items: | ||
| 107 | ········-·crond | ||
| 108 | ······tags: | ||
| 109 | ········-·service_crond_enabled | ||
| 110 | ········-·medium_severity | ||
| 111 | ········-·enable_strategy | ||
| 112 | ········-·low_complexity | ||
| 113 | ········-·low_disruption | ||
| 114 | ········-·CCE-27070-2 | ||
| 115 | ········-·NIST-800-53-CM-7 | ||
| 116 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 117 | ···· | ||
| 118 | ····-·name:·Disable·service·atd | ||
| 119 | ······service: | ||
| 120 | ········name="{{item}}" | ||
| 121 | ········enabled="no" | ||
| 122 | ········state="stopped" | ||
| 123 | ······register:·service_result | ||
| 124 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 125 | ······with_items: | ||
| 126 | ········-·atd | ||
| 127 | ······tags: | ||
| 128 | ········-·service_atd_disabled | ||
| 129 | ········-·unknown_severity | ||
| 130 | ········-·disable_strategy | ||
| 131 | ········-·low_complexity | ||
| 132 | ········-·low_disruption | ||
| 133 | ········-·CCE-27249-2 | ||
| 134 | ········-·NIST-800-53-CM-7 | ||
| 135 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 136 | ···· | ||
| 137 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 138 | ······package: | ||
| 139 | ········name="{{item}}" | ||
| 140 | ········state=absent | ||
| 141 | ······with_items: | ||
| 142 | ········-·xorg-x11-server-common | ||
| 143 | ······tags: | ||
| 144 | ········-·package_xorg-x11-server-common_removed | ||
| 145 | ········-·unknown_severity | ||
| 146 | ········-·disable_strategy | ||
| 147 | ········-·low_complexity | ||
| 148 | ········-·low_disruption | ||
| 149 | ········-·CCE-27198-1 | ||
| 150 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 151 | ···· | ||
| 152 | ····-·name:·Ensure·rsh-server·is·removed | 101 | ····-·name:·Ensure·rsh-server·is·removed |
| 153 | ······package: | 102 | ······package: |
| 154 | ········name="{{item}}" | 103 | ········name="{{item}}" |
| 155 | ········state=absent | 104 | ········state=absent |
| 156 | ······with_items: | 105 | ······with_items: |
| 157 | ········-·rsh-server | 106 | ········-·rsh-server |
| 158 | ······tags: | 107 | ······tags: |
| Offset 307, 14 lines modified | Offset 256, 81 lines modified | ||
| 307 | ········-·disable_strategy | 256 | ········-·disable_strategy |
| 308 | ········-·low_complexity | 257 | ········-·low_complexity |
| 309 | ········-·low_disruption | 258 | ········-·low_disruption |
| Max diff block lines reached; 126814/131492 bytes (96.44%) of diff not shown. | |||
| Offset 35, 29 lines modified | Offset 35, 29 lines modified | ||
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 | ||
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_ | 49 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 51 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·12 | 54 | ······var_accounts_password_minlen_login_defs:·12 |
| 55 | ······var_accounts_password_warn_age_login_defs:·14 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·60 | 55 | ······var_accounts_maximum_age_login_defs:·60 |
| 56 | ······var_accounts_password_warn_age_login_defs:·14 | ||
| 57 | ······var_account_disable_post_pw_expiration:·30 | 57 | ······var_account_disable_post_pw_expiration:·30 |
| 58 | ······var_password_pam_unix_remember:·24 | 58 | ······var_password_pam_unix_remember:·24 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·5 | 59 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| Offset 127, 47 lines modified | Offset 127, 14 lines modified | ||
| 127 | ········-·unknown_severity | 127 | ········-·unknown_severity |
| 128 | ········-·disable_strategy | 128 | ········-·disable_strategy |
| 129 | ········-·low_complexity | 129 | ········-·low_complexity |
| 130 | ········-·low_disruption | 130 | ········-·low_disruption |
| 131 | ········-·CCE-27133-8 | 131 | ········-·CCE-27133-8 |
| 132 | ········-·NIST-800-53-CM-7 | 132 | ········-·NIST-800-53-CM-7 |
| 133 | ···· | 133 | ···· |
| 134 | ····-·name:·Ensure·dhcp·is·removed | ||
| 135 | ······package: | ||
| 136 | ········name="{{item}}" | ||
| 137 | ········state=absent | ||
| 138 | ······with_items: | ||
| 139 | ········-·dhcp | ||
| 140 | ······tags: | ||
| 141 | ········-·package_dhcp_removed | ||
| 142 | ········-·medium_severity | ||
| 143 | ········-·disable_strategy | ||
| 144 | ········-·low_complexity | ||
| 145 | ········-·low_disruption | ||
| 146 | ········-·CCE-27120-5 | ||
| 147 | ········-·NIST-800-53-CM-7 | ||
| 148 | ···· | ||
| 149 | ····-·name:·Disable·service·dhcpd | ||
| 150 | ······service: | ||
| 151 | ········name="{{item}}" | ||
| 152 | ········enabled="no" | ||
| 153 | ········state="stopped" | ||
| 154 | ······register:·service_result | ||
| 155 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 156 | ······with_items: | ||
| 157 | ········-·dhcpd | ||
| 158 | ······tags: | ||
| 159 | ········-·service_dhcpd_disabled | ||
| 160 | ········-·medium_severity | ||
| 161 | ········-·disable_strategy | ||
| 162 | ········-·low_complexity | ||
| 163 | ········-·low_disruption | ||
| 164 | ········-·CCE-27074-4 | ||
| 165 | ········-·NIST-800-53-CM-7 | ||
| 166 | ···· | ||
| 167 | ····-·name:·Enable·service·ntpd | 134 | ····-·name:·Enable·service·ntpd |
| 168 | ······service: | 135 | ······service: |
| 169 | ········name="{{item}}" | 136 | ········name="{{item}}" |
| 170 | ········enabled="yes" | 137 | ········enabled="yes" |
| 171 | ········state="started" | 138 | ········state="started" |
| 172 | ······with_items: | 139 | ······with_items: |
| 173 | ········-·ntpd | 140 | ········-·ntpd |
| Offset 209, 50 lines modified | Offset 176, 14 lines modified | ||
| 209 | ········-·service_snmpd_disabled | 176 | ········-·service_snmpd_disabled |
| 210 | ········-·unknown_severity | 177 | ········-·unknown_severity |
| 211 | ········-·disable_strategy | 178 | ········-·disable_strategy |
| 212 | ········-·low_complexity | 179 | ········-·low_complexity |
| 213 | ········-·low_disruption | 180 | ········-·low_disruption |
| 214 | ········-·CCE-26906-8 | 181 | ········-·CCE-26906-8 |
| 215 | ···· | 182 | ···· |
| 216 | ····-·name:·Enable·service·crond | ||
| 217 | ······service: | ||
| 218 | ········name="{{item}}" | ||
| 219 | ········enabled="yes" | ||
| 220 | ········state="started" | ||
| 221 | ······with_items: | ||
| 222 | ········-·crond | ||
| 223 | ······tags: | ||
| 224 | ········-·service_crond_enabled | ||
| 225 | ········-·medium_severity | ||
| 226 | ········-·enable_strategy | ||
| 227 | ········-·low_complexity | ||
| 228 | ········-·low_disruption | ||
| 229 | ········-·CCE-27070-2 | ||
| 230 | ········-·NIST-800-53-CM-7 | ||
| 231 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 232 | ···· | ||
| 233 | ····-·name:·Disable·service·atd | ||
| 234 | ······service: | ||
| 235 | ········name="{{item}}" | ||
| 236 | ········enabled="no" | ||
| 237 | ········state="stopped" | ||
| 238 | ······register:·service_result | ||
| 239 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 240 | ······with_items: | ||
| 241 | ········-·atd | ||
| 242 | ······tags: | ||
| 243 | ········-·service_atd_disabled | ||
| 244 | ········-·unknown_severity | ||
| 245 | ········-·disable_strategy | ||
| 246 | ········-·low_complexity | ||
| 247 | ········-·low_disruption | ||
| 248 | ········-·CCE-27249-2 | ||
| 249 | ········-·NIST-800-53-CM-7 | ||
| 250 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 251 | ···· | ||
| 252 | ····-·name:·Ensure·rsh-server·is·removed | 183 | ····-·name:·Ensure·rsh-server·is·removed |
| 253 | ······package: | 184 | ······package: |
| 254 | ········name="{{item}}" | 185 | ········name="{{item}}" |
| Max diff block lines reached; 133839/138029 bytes (96.96%) of diff not shown. | |||
| Offset 46, 25 lines modified | Offset 46, 25 lines modified | ||
| 46 | ······sshd_idle_timeout_value:·7200 | 46 | ······sshd_idle_timeout_value:·7200 |
| 47 | ······rsyslog_remote_loghost_address:·logcollector | 47 | ······rsyslog_remote_loghost_address:·logcollector |
| 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 53 | ······sysctl_net_ipv4_icmp_ | 53 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_ | 57 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 58 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 59 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 58 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 60 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 59 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 61 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 60 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 62 | ······sysctl_net_ipv4_ | 61 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 63 | ······sysctl_net_ipv4_c | 62 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 63 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 64 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 | 64 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 65 | ······var_selinux_policy_name:·targeted | 65 | ······var_selinux_policy_name:·targeted |
| 66 | ······var_selinux_state:·enforcing | 66 | ······var_selinux_state:·enforcing |
| 67 | ······var_accounts_password_warn_age_login_defs:·7 | 67 | ······var_accounts_password_warn_age_login_defs:·7 |
| 68 | ······var_accounts_minimum_age_login_defs:·7 | 68 | ······var_accounts_minimum_age_login_defs:·7 |
| 69 | ······var_accounts_maximum_age_login_defs:·90 | 69 | ······var_accounts_maximum_age_login_defs:·90 |
| 70 | ······var_account_disable_post_pw_expiration:·30 | 70 | ······var_account_disable_post_pw_expiration:·30 |
| Offset 77, 16 lines modified | Offset 77, 16 lines modified | ||
| 77 | ······var_password_pam_lcredit:·-1 | 77 | ······var_password_pam_lcredit:·-1 |
| 78 | ······var_password_pam_ucredit:·-1 | 78 | ······var_password_pam_ucredit:·-1 |
| 79 | ······var_password_pam_retry:·1 | 79 | ······var_password_pam_retry:·1 |
| 80 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 80 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 81 | ······var_removable_partition:·/dev/cdrom | 81 | ······var_removable_partition:·/dev/cdrom |
| 82 | ······var_removable_partition:·/dev/cdrom | 82 | ······var_removable_partition:·/dev/cdrom |
| 83 | ······var_removable_partition:·/dev/cdrom | 83 | ······var_removable_partition:·/dev/cdrom |
| 84 | ······var_auditd_action_mail_acct:·root | ||
| 85 | ······var_auditd_max_log_file:·6 | 84 | ······var_auditd_max_log_file:·6 |
| 85 | ······var_auditd_action_mail_acct:·root | ||
| 86 | ······var_auditd_admin_space_left_action:·single | 86 | ······var_auditd_admin_space_left_action:·single |
| 87 | ······var_auditd_max_log_file_action:·rotate | 87 | ······var_auditd_max_log_file_action:·rotate |
| 88 | ···tasks: | 88 | ···tasks: |
| 89 | ····-·name:·Ensure·rsh·is·removed | 89 | ····-·name:·Ensure·rsh·is·removed |
| 90 | ······package: | 90 | ······package: |
| 91 | ········name="{{item}}" | 91 | ········name="{{item}}" |
| 92 | ········state=absent | 92 | ········state=absent |
| Offset 119, 54 lines modified | Offset 119, 54 lines modified | ||
| 119 | ········-·CCE-27336-7 | 119 | ········-·CCE-27336-7 |
| 120 | ········-·NIST-800-53-AC-17(8) | 120 | ········-·NIST-800-53-AC-17(8) |
| 121 | ········-·NIST-800-53-CM-7 | 121 | ········-·NIST-800-53-CM-7 |
| 122 | ········-·NIST-800-53-IA-5(1)(c) | 122 | ········-·NIST-800-53-IA-5(1)(c) |
| 123 | ········-·NIST-800-171-3.1.13 | 123 | ········-·NIST-800-171-3.1.13 |
| 124 | ········-·NIST-800-171-3.4.7 | 124 | ········-·NIST-800-171-3.4.7 |
| 125 | ···· | 125 | ···· |
| 126 | ····-·name:·Disable·service·r | 126 | ····-·name:·Disable·service·rsh |
| 127 | ······service: | 127 | ······service: |
| 128 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 129 | ········enabled="no" | 129 | ········enabled="no" |
| 130 | ········state="stopped" | 130 | ········state="stopped" |
| 131 | ······register:·service_result | 131 | ······register:·service_result |
| 132 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 132 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 133 | ······with_items: | 133 | ······with_items: |
| 134 | ········-·r | 134 | ········-·rsh |
| 135 | ······tags: | 135 | ······tags: |
| 136 | ········-·service_r | 136 | ········-·service_rsh_disabled |
| 137 | ········-·high_severity | 137 | ········-·high_severity |
| 138 | ········-·disable_strategy | 138 | ········-·disable_strategy |
| 139 | ········-·low_complexity | 139 | ········-·low_complexity |
| 140 | ········-·low_disruption | 140 | ········-·low_disruption |
| 141 | ········-·CCE-27 | 141 | ········-·CCE-27337-5 |
| 142 | ········-·NIST-800-53-AC-17(8) | 142 | ········-·NIST-800-53-AC-17(8) |
| 143 | ········-·NIST-800-53-CM-7 | 143 | ········-·NIST-800-53-CM-7 |
| 144 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 144 | ········-·NIST-800-171-3.1.13 | 145 | ········-·NIST-800-171-3.1.13 |
| 145 | ········-·NIST-800-171-3.4.7 | 146 | ········-·NIST-800-171-3.4.7 |
| 146 | ···· | 147 | ···· |
| 147 | ····-·name:·Disable·service·r | 148 | ····-·name:·Disable·service·rexec |
| 148 | ······service: | 149 | ······service: |
| 149 | ········name="{{item}}" | 150 | ········name="{{item}}" |
| 150 | ········enabled="no" | 151 | ········enabled="no" |
| 151 | ········state="stopped" | 152 | ········state="stopped" |
| 152 | ······register:·service_result | 153 | ······register:·service_result |
| 153 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 154 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 154 | ······with_items: | 155 | ······with_items: |
| 155 | ········-·r | 156 | ········-·rexec |
| 156 | ······tags: | 157 | ······tags: |
| 157 | ········-·service_r | 158 | ········-·service_rexec_disabled |
| 158 | ········-·high_severity | 159 | ········-·high_severity |
| 159 | ········-·disable_strategy | 160 | ········-·disable_strategy |
| 160 | ········-·low_complexity | 161 | ········-·low_complexity |
| 161 | ········-·low_disruption | 162 | ········-·low_disruption |
| 162 | ········-·CCE-27 | 163 | ········-·CCE-27408-4 |
| 163 | ········-·NIST-800-53-AC-17(8) | 164 | ········-·NIST-800-53-AC-17(8) |
| 164 | ········-·NIST-800-53-CM-7 | 165 | ········-·NIST-800-53-CM-7 |
| 165 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 166 | ········-·NIST-800-171-3.1.13 | 166 | ········-·NIST-800-171-3.1.13 |
| 167 | ········-·NIST-800-171-3.4.7 | 167 | ········-·NIST-800-171-3.4.7 |
| 168 | ···· | 168 | ···· |
| 169 | ····-·block: | 169 | ····-·block: |
| 170 | ········-·name:·"Detect·shosts.equiv·Files·on·the·System" | 170 | ········-·name:·"Detect·shosts.equiv·Files·on·the·System" |
| 171 | ··········find: | 171 | ··········find: |
| 172 | ··············paths:·/ | 172 | ··············paths:·/ |
| Offset 274, 30 lines modified | Offset 274, 14 lines modified | ||
| 274 | ········-·disable_strategy | 274 | ········-·disable_strategy |
| 275 | ········-·low_complexity | 275 | ········-·low_complexity |
| 276 | ········-·low_disruption | 276 | ········-·low_disruption |
| 277 | ········-·CCE-80212-4 | 277 | ········-·CCE-80212-4 |
| 278 | ········-·NIST-800-53-AC-17(8) | 278 | ········-·NIST-800-53-AC-17(8) |
| 279 | ········-·NIST-800-53-CM-7 | 279 | ········-·NIST-800-53-CM-7 |
| 280 | ···· | 280 | ···· |
| 281 | ····-·name:·Ensure·tcp_wrappers·is·installed | ||
| 282 | ······package: | ||
| 283 | ········name="{{item}}" | ||
| 284 | ········state=present | ||
| 285 | ······with_items: | ||
| 286 | ········-·tcp_wrappers | ||
| 287 | ······tags: | ||
| 288 | ········-·package_tcp_wrappers_installed | ||
| 289 | ········-·medium_severity | ||
| 290 | ········-·enable_strategy | ||
| 291 | ········-·low_complexity | ||
| 292 | ········-·low_disruption | ||
| 293 | ········-·CCE-27361-5 | ||
| 294 | ········-·NIST-800-53-CM-6(b) | ||
| 295 | ········-·DISA-STIG-RHEL-07-TBD | ||
| 296 | ···· | ||
| 297 | ····-·name:·Disable·service·xinetd | 281 | ····-·name:·Disable·service·xinetd |
| 298 | ······service: | 282 | ······service: |
| 299 | ········name="{{item}}" | 283 | ········name="{{item}}" |
| Max diff block lines reached; 66690/72411 bytes (92.10%) of diff not shown. | |||
| Offset 36, 25 lines modified | Offset 36, 25 lines modified | ||
| 36 | ·········msg:·> | 36 | ·········msg:·> |
| 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·1800 | 40 | ······sshd_idle_timeout_value:·1800 |
| 41 | ······sshd_listening_port:·22 | 41 | ······sshd_listening_port:·22 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 43 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 44 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······var_accounts_minimum_age_login_defs:·1 | 47 | ······var_accounts_minimum_age_login_defs:·1 |
| 48 | ······var_account_disable_post_pw_expiration:·0 | 48 | ······var_account_disable_post_pw_expiration:·0 |
| 49 | ······var_password_pam_minlen:·12 | 49 | ······var_password_pam_minlen:·12 |
| 50 | ······var_password_pam_difok:·6 | 50 | ······var_password_pam_difok:·6 |
| 51 | ······var_accounts_max_concurrent_login_sessions:·3 | 51 | ······var_accounts_max_concurrent_login_sessions:·3 |
| 52 | ······var_auditd_action_mail_acct:·admin | ||
| 53 | ······var_auditd_max_log_file:·1 | 52 | ······var_auditd_max_log_file:·1 |
| 53 | ······var_auditd_action_mail_acct:·admin | ||
| 54 | ······var_auditd_space_left_action:·suspend | 54 | ······var_auditd_space_left_action:·suspend |
| 55 | ······var_auditd_admin_space_left_action:·suspend | 55 | ······var_auditd_admin_space_left_action:·suspend |
| 56 | ······var_auditd_max_log_file_action:·rotate | 56 | ······var_auditd_max_log_file_action:·rotate |
| 57 | ······inactivity_timeout_value:·1800 | 57 | ······inactivity_timeout_value:·1800 |
| 58 | ···tasks: | 58 | ···tasks: |
| 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords | 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords |
| 60 | ······lineinfile: | 60 | ······lineinfile: |
| Offset 368, 100 lines modified | Offset 368, 100 lines modified | ||
| 368 | ········-·NIST-800-53-SC-7 | 368 | ········-·NIST-800-53-SC-7 |
| 369 | ········-·NIST-800-171-3.1.20 | 369 | ········-·NIST-800-171-3.1.20 |
| 370 | ········-·CJIS-5.10.1.1 | 370 | ········-·CJIS-5.10.1.1 |
| 371 | ········-·DISA-STIG-RHEL-07-040620 | 371 | ········-·DISA-STIG-RHEL-07-040620 |
| 372 | ···· | 372 | ···· |
| 373 | ···· | 373 | ···· |
| 374 | ···· | 374 | ···· |
| 375 | ····-·name:·Ensure·sysctl·net.ipv4. | 375 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_redirects·is·set |
| 376 | ······sysctl: | 376 | ······sysctl: |
| 377 | ········name:·net.ipv4. | 377 | ········name:·net.ipv4.conf.default.accept_redirects |
| 378 | ········value:·"{{·sysctl_net_ipv4_ | 378 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_redirects_value·}}" |
| 379 | ········state:·present | 379 | ········state:·present |
| 380 | ········reload:·yes | 380 | ········reload:·yes |
| 381 | ······tags: | 381 | ······tags: |
| 382 | ········-·sysctl_net_ipv4_ | 382 | ········-·sysctl_net_ipv4_conf_default_accept_redirects |
| 383 | ········-·medium_severity | 383 | ········-·medium_severity |
| 384 | ········-·disable_strategy | 384 | ········-·disable_strategy |
| 385 | ········-·low_complexity | 385 | ········-·low_complexity |
| 386 | ········-·medium_disruption | 386 | ········-·medium_disruption |
| 387 | ········-·CCE-8016 | 387 | ········-·CCE-80163-9 |
| 388 | ········-·NIST-800-53-AC-4 | 388 | ········-·NIST-800-53-AC-4 |
| 389 | ········-·NIST-800-53-CM-7 | 389 | ········-·NIST-800-53-CM-7 |
| 390 | ········-·NIST-800-53-SC-5 | 390 | ········-·NIST-800-53-SC-5 |
| 391 | ········-·NIST-800-53-SC-7 | ||
| 391 | ········-·NIST-800-171-3.1.20 | 392 | ········-·NIST-800-171-3.1.20 |
| 392 | ········-·CJIS-5.10.1.1 | 393 | ········-·CJIS-5.10.1.1 |
| 393 | ········-·DISA-STIG-RHEL-07-0406 | 394 | ········-·DISA-STIG-RHEL-07-040640 |
| 394 | ···· | 395 | ···· |
| 395 | ···· | 396 | ···· |
| 396 | ···· | 397 | ···· |
| 397 | ····-·name:·Ensure·sysctl·net.ipv4.conf. | 398 | ····-·name:·Ensure·sysctl·net.ipv4.conf.all.accept_redirects·is·set |
| 398 | ······sysctl: | 399 | ······sysctl: |
| 399 | ········name:·net.ipv4.conf. | 400 | ········name:·net.ipv4.conf.all.accept_redirects |
| 400 | ········value:·"{{·sysctl_net_ipv4_conf_ | 401 | ········value:·"{{·sysctl_net_ipv4_conf_all_accept_redirects_value·}}" |
| 401 | ········state:·present | 402 | ········state:·present |
| 402 | ········reload:·yes | 403 | ········reload:·yes |
| 403 | ······tags: | 404 | ······tags: |
| 404 | ········-·sysctl_net_ipv4_conf_ | 405 | ········-·sysctl_net_ipv4_conf_all_accept_redirects |
| 405 | ········-·medium_severity | 406 | ········-·medium_severity |
| 406 | ········-·disable_strategy | 407 | ········-·disable_strategy |
| 407 | ········-·low_complexity | 408 | ········-·low_complexity |
| 408 | ········-·medium_disruption | 409 | ········-·medium_disruption |
| 409 | ········-·CCE-801 | 410 | ········-·CCE-80158-9 |
| 410 | ········-·NIST-800-53- | 411 | ········-·NIST-800-53-CM-6(d) |
| 411 | ········-·NIST-800-53-CM-7 | 412 | ········-·NIST-800-53-CM-7 |
| 412 | ········-·NIST-800-53-SC-5 | 413 | ········-·NIST-800-53-SC-5 |
| 413 | ········-·NIST-800-53-SC-7 | ||
| 414 | ········-·NIST-800-171-3.1.20 | 414 | ········-·NIST-800-171-3.1.20 |
| 415 | ········-·CJIS-5.10.1.1 | 415 | ········-·CJIS-5.10.1.1 |
| 416 | ········-·DISA-STIG-RHEL-07-04064 | 416 | ········-·DISA-STIG-RHEL-07-040641 |
| 417 | ···· | 417 | ···· |
| 418 | ···· | 418 | ···· |
| 419 | ···· | 419 | ···· |
| 420 | ····-·name:·Ensure·sysctl·net.ipv4. | 420 | ····-·name:·Ensure·sysctl·net.ipv4.icmp_echo_ignore_broadcasts·is·set |
| 421 | ······sysctl: | 421 | ······sysctl: |
| 422 | ········name:·net.ipv4. | 422 | ········name:·net.ipv4.icmp_echo_ignore_broadcasts |
| 423 | ········value:·"{{·sysctl_net_ipv4_ | 423 | ········value:·"{{·sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value·}}" |
| 424 | ········state:·present | 424 | ········state:·present |
| 425 | ········reload:·yes | 425 | ········reload:·yes |
| 426 | ······tags: | 426 | ······tags: |
| 427 | ········-·sysctl_net_ipv4_ | 427 | ········-·sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
| 428 | ········-·medium_severity | 428 | ········-·medium_severity |
| 429 | ········-·disable_strategy | 429 | ········-·disable_strategy |
| 430 | ········-·low_complexity | 430 | ········-·low_complexity |
| 431 | ········-·medium_disruption | 431 | ········-·medium_disruption |
| 432 | ········-·CCE- | 432 | ········-·CCE-80165-4 |
| 433 | ········-·NIST-800-53-AC-4 | 433 | ········-·NIST-800-53-AC-4 |
| 434 | ········-·NIST-800-53- | 434 | ········-·NIST-800-53-CM-7 |
| 435 | ········-·NIST-800-53-SC-5 | 435 | ········-·NIST-800-53-SC-5 |
| 436 | ········-·NIST-800-53-SC-5(3) | ||
| 437 | ········-·NIST-800-171-3.1.20 | 436 | ········-·NIST-800-171-3.1.20 |
| 438 | ········-·CJIS-5.10.1.1 | 437 | ········-·CJIS-5.10.1.1 |
| 438 | ········-·DISA-STIG-RHEL-07-040630 | ||
| 439 | ···· | 439 | ···· |
| 440 | ···· | 440 | ···· |
| 441 | ···· | 441 | ···· |
| 442 | ····-·name:·Ensure·sysctl·net.ipv4. | 442 | ····-·name:·Ensure·sysctl·net.ipv4.tcp_syncookies·is·set |
| 443 | ······sysctl: | 443 | ······sysctl: |
| 444 | ········name:·net.ipv4. | 444 | ········name:·net.ipv4.tcp_syncookies |
| 445 | ········value:·"{{·sysctl_net_ipv4_ | 445 | ········value:·"{{·sysctl_net_ipv4_tcp_syncookies_value·}}" |
| 446 | ········state:·present | 446 | ········state:·present |
| 447 | ········reload:·yes | 447 | ········reload:·yes |
| 448 | ······tags: | 448 | ······tags: |
| 449 | ········-·sysctl_net_ipv4_ | 449 | ········-·sysctl_net_ipv4_tcp_syncookies |
| 450 | ········-·medium_severity | 450 | ········-·medium_severity |
| 451 | ········-·disable_strategy | 451 | ········-·disable_strategy |
| 452 | ········-·low_complexity | 452 | ········-·low_complexity |
| 453 | ········-·medium_disruption | 453 | ········-·medium_disruption |
| 454 | ········-·CCE- | 454 | ········-·CCE-27495-1 |
| 455 | ········-·NIST-800-53- | 455 | ········-·NIST-800-53-AC-4 |
| 456 | ········-·NIST-800-53-C | 456 | ········-·NIST-800-53-SC-5(1)(2) |
| 457 | ········-·NIST-800-53-SC-5 | 457 | ········-·NIST-800-53-SC-5(2) |
| 458 | ········-·NIST-800-53-SC-5(3) | ||
| 458 | ········-·NIST-800-171-3.1.20 | 459 | ········-·NIST-800-171-3.1.20 |
| 459 | ········-·CJIS-5.10.1.1 | 460 | ········-·CJIS-5.10.1.1 |
| 460 | ········-·DISA-STIG-RHEL-07-040641 | ||
| 461 | ···· | 461 | ···· |
| 462 | ····-·name:·Ensure·sysctl·net.ipv4.conf.all.send_redirects·is·set·to·0 | 462 | ····-·name:·Ensure·sysctl·net.ipv4.conf.all.send_redirects·is·set·to·0 |
| Max diff block lines reached; 34274/39699 bytes (86.33%) of diff not shown. | |||
| Offset 81, 54 lines modified | Offset 81, 54 lines modified | ||
| 81 | ········-·CCE-27336-7 | 81 | ········-·CCE-27336-7 |
| 82 | ········-·NIST-800-53-AC-17(8) | 82 | ········-·NIST-800-53-AC-17(8) |
| 83 | ········-·NIST-800-53-CM-7 | 83 | ········-·NIST-800-53-CM-7 |
| 84 | ········-·NIST-800-53-IA-5(1)(c) | 84 | ········-·NIST-800-53-IA-5(1)(c) |
| 85 | ········-·NIST-800-171-3.1.13 | 85 | ········-·NIST-800-171-3.1.13 |
| 86 | ········-·NIST-800-171-3.4.7 | 86 | ········-·NIST-800-171-3.4.7 |
| 87 | ···· | 87 | ···· |
| 88 | ····-·name:·Disable·service·r | 88 | ····-·name:·Disable·service·rsh |
| 89 | ······service: | 89 | ······service: |
| 90 | ········name="{{item}}" | 90 | ········name="{{item}}" |
| 91 | ········enabled="no" | 91 | ········enabled="no" |
| 92 | ········state="stopped" | 92 | ········state="stopped" |
| 93 | ······register:·service_result | 93 | ······register:·service_result |
| 94 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 94 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 95 | ······with_items: | 95 | ······with_items: |
| 96 | ········-·r | 96 | ········-·rsh |
| 97 | ······tags: | 97 | ······tags: |
| 98 | ········-·service_r | 98 | ········-·service_rsh_disabled |
| 99 | ········-·high_severity | 99 | ········-·high_severity |
| 100 | ········-·disable_strategy | 100 | ········-·disable_strategy |
| 101 | ········-·low_complexity | 101 | ········-·low_complexity |
| 102 | ········-·low_disruption | 102 | ········-·low_disruption |
| 103 | ········-·CCE-27 | 103 | ········-·CCE-27337-5 |
| 104 | ········-·NIST-800-53-AC-17(8) | 104 | ········-·NIST-800-53-AC-17(8) |
| 105 | ········-·NIST-800-53-CM-7 | 105 | ········-·NIST-800-53-CM-7 |
| 106 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 106 | ········-·NIST-800-171-3.1.13 | 107 | ········-·NIST-800-171-3.1.13 |
| 107 | ········-·NIST-800-171-3.4.7 | 108 | ········-·NIST-800-171-3.4.7 |
| 108 | ···· | 109 | ···· |
| 109 | ····-·name:·Disable·service·r | 110 | ····-·name:·Disable·service·rexec |
| 110 | ······service: | 111 | ······service: |
| 111 | ········name="{{item}}" | 112 | ········name="{{item}}" |
| 112 | ········enabled="no" | 113 | ········enabled="no" |
| 113 | ········state="stopped" | 114 | ········state="stopped" |
| 114 | ······register:·service_result | 115 | ······register:·service_result |
| 115 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 116 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 116 | ······with_items: | 117 | ······with_items: |
| 117 | ········-·r | 118 | ········-·rexec |
| 118 | ······tags: | 119 | ······tags: |
| 119 | ········-·service_r | 120 | ········-·service_rexec_disabled |
| 120 | ········-·high_severity | 121 | ········-·high_severity |
| 121 | ········-·disable_strategy | 122 | ········-·disable_strategy |
| 122 | ········-·low_complexity | 123 | ········-·low_complexity |
| 123 | ········-·low_disruption | 124 | ········-·low_disruption |
| 124 | ········-·CCE-27 | 125 | ········-·CCE-27408-4 |
| 125 | ········-·NIST-800-53-AC-17(8) | 126 | ········-·NIST-800-53-AC-17(8) |
| 126 | ········-·NIST-800-53-CM-7 | 127 | ········-·NIST-800-53-CM-7 |
| 127 | ········-·NIST-800-53-IA-5(1)(c) | ||
| 128 | ········-·NIST-800-171-3.1.13 | 128 | ········-·NIST-800-171-3.1.13 |
| 129 | ········-·NIST-800-171-3.4.7 | 129 | ········-·NIST-800-171-3.4.7 |
| 130 | ···· | 130 | ···· |
| 131 | ····-·name:·Ensure·rsh-server·is·removed | 131 | ····-·name:·Ensure·rsh-server·is·removed |
| 132 | ······package: | 132 | ······package: |
| 133 | ········name="{{item}}" | 133 | ········name="{{item}}" |
| 134 | ········state=absent | 134 | ········state=absent |
| Offset 899, 30 lines modified | Offset 899, 14 lines modified | ||
| 899 | ········-·NIST-800-53-AC-6 | 899 | ········-·NIST-800-53-AC-6 |
| 900 | ········-·NIST-800-53-AU-9 | 900 | ········-·NIST-800-53-AU-9 |
| 901 | ········-·NIST-800-53-SI-6(a) | 901 | ········-·NIST-800-53-SI-6(a) |
| 902 | ········-·NIST-800-171-3.1.2 | 902 | ········-·NIST-800-171-3.1.2 |
| 903 | ········-·NIST-800-171-3.7.2 | 903 | ········-·NIST-800-171-3.7.2 |
| 904 | ········-·DISA-STIG-RHEL-07-020210 | 904 | ········-·DISA-STIG-RHEL-07-020210 |
| 905 | ···· | 905 | ···· |
| 906 | ····-·name:·"Restrict·Serial·Port·Root·Logins" | ||
| 907 | ······lineinfile: | ||
| 908 | ········dest:·/etc/securetty | ||
| 909 | ········regexp:·'ttyS[0-9]' | ||
| 910 | ········state:·absent | ||
| 911 | ······tags: | ||
| 912 | ········-·restrict_serial_port_logins | ||
| 913 | ········-·unknown_severity | ||
| 914 | ········-·restrict_strategy | ||
| 915 | ········-·low_complexity | ||
| 916 | ········-·low_disruption | ||
| 917 | ········-·CCE-27268-2 | ||
| 918 | ········-·NIST-800-53-AC-6(2) | ||
| 919 | ········-·NIST-800-171-3.1.1 | ||
| 920 | ········-·NIST-800-171-3.1.5 | ||
| 921 | ···· | ||
| 922 | ····-·name:·"Direct·root·Logins·Not·Allowed" | 906 | ····-·name:·"Direct·root·Logins·Not·Allowed" |
| 923 | ······shell:·echo·>·/etc/securetty | 907 | ······shell:·echo·>·/etc/securetty |
| 924 | ······tags: | 908 | ······tags: |
| 925 | ········-·no_direct_root_logins | 909 | ········-·no_direct_root_logins |
| 926 | ········-·medium_severity | 910 | ········-·medium_severity |
| 927 | ········-·restrict_strategy | 911 | ········-·restrict_strategy |
| 928 | ········-·low_complexity | 912 | ········-·low_complexity |
| Offset 944, 14 lines modified | Offset 928, 30 lines modified | ||
| 944 | ········-·low_complexity | 928 | ········-·low_complexity |
| 945 | ········-·low_disruption | 929 | ········-·low_disruption |
| 946 | ········-·CCE-27318-5 | 930 | ········-·CCE-27318-5 |
| 947 | ········-·NIST-800-53-AC-6(2) | 931 | ········-·NIST-800-53-AC-6(2) |
| 948 | ········-·NIST-800-171-3.1.1 | 932 | ········-·NIST-800-171-3.1.1 |
| 949 | ········-·NIST-800-171-3.1.5 | 933 | ········-·NIST-800-171-3.1.5 |
| 950 | ···· | 934 | ···· |
| 935 | ····-·name:·"Restrict·Serial·Port·Root·Logins" | ||
| 936 | ······lineinfile: | ||
| 937 | ········dest:·/etc/securetty | ||
| 938 | ········regexp:·'ttyS[0-9]' | ||
| 939 | ········state:·absent | ||
| 940 | ······tags: | ||
| 941 | ········-·restrict_serial_port_logins | ||
| 942 | ········-·unknown_severity | ||
| 943 | ········-·restrict_strategy | ||
| 944 | ········-·low_complexity | ||
| 945 | ········-·low_disruption | ||
| 946 | ········-·CCE-27268-2 | ||
| 947 | ········-·NIST-800-53-AC-6(2) | ||
| 948 | ········-·NIST-800-171-3.1.1 | ||
| 949 | ········-·NIST-800-171-3.1.5 | ||
| 950 | ···· | ||
| 951 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" | 951 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" |
| 952 | ······replace: | 952 | ······replace: |
| 953 | ········dest:·/etc/pam.d/system-auth | 953 | ········dest:·/etc/pam.d/system-auth |
| 954 | ········follow:·yes | 954 | ········follow:·yes |
| 955 | ········regexp:·'nullok' | 955 | ········regexp:·'nullok' |
| 956 | ······tags: | 956 | ······tags: |
| 957 | ········-·no_empty_passwords | 957 | ········-·no_empty_passwords |
| Offset 1025, 59 lines modified | Offset 1025, 14 lines modified | ||
| 1025 | ········-·medium_severity | 1025 | ········-·medium_severity |
| 1026 | ········-·disable_strategy | 1026 | ········-·disable_strategy |
| 1027 | ········-·low_complexity | 1027 | ········-·low_complexity |
| 1028 | ········-·low_disruption | 1028 | ········-·low_disruption |
| 1029 | ········-·CCE-80206-6 | 1029 | ········-·CCE-80206-6 |
| 1030 | ········-·NIST-800-171-3.4.5 | 1030 | ········-·NIST-800-171-3.4.5 |
| 1031 | ···· | 1031 | ···· |
| 1032 | ····-·name:·Ensure·kernel·module·'usb-storage'·is·disabled | ||
| 1033 | ······lineinfile: | ||
| Max diff block lines reached; 61653/66721 bytes (92.40%) of diff not shown. | |||
| Offset 56, 86 lines modified | Offset 56, 86 lines modified | ||
| 56 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 56 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 57 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | 57 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 |
| 58 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 58 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 59 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 59 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 60 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 60 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 61 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 61 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 62 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 62 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 63 | ······sysctl_net_ipv4_icmp_ | 63 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 64 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 64 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 65 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 65 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 66 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 66 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 67 | ······sysctl_net_ipv4_conf_ | 67 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 68 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 69 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 68 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 70 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 69 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 71 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 70 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 72 | ······sysctl_net_ipv4_ | 71 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 73 | ······sysctl_net_ipv4_c | 72 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 73 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 74 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 | 74 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 75 | ······var_ssh_sysadm_login:·false | 75 | ······var_ssh_sysadm_login:·false |
| 76 | ······var_login_console_enabled:·true | ||
| 77 | ······var_auditadm_exec_content:·true | 76 | ······var_auditadm_exec_content:·true |
| 78 | ······var_selinuxuser_execstack:·true | 77 | ······var_selinuxuser_execstack:·true |
| 79 | ······var_gpg_web_anon_write:·false | ||
| 80 | ······var_mount_anyfile:·true | 78 | ······var_mount_anyfile:·true |
| 81 | ······var_se | 79 | ······var_selinuxuser_tcp_server:·false |
| 82 | ······var_daemons_use_tcp_wrapper:·false | 80 | ······var_daemons_use_tcp_wrapper:·false |
| 81 | ······var_cron_can_relabel:·false | ||
| 83 | ······var_user_exec_content:·true | 82 | ······var_user_exec_content:·true |
| 84 | ······var_deny_ptrace:·false | 83 | ······var_deny_ptrace:·false |
| 85 | ······var_ | 84 | ······var_secure_mode:·false |
| 85 | ······var_xdm_write_home:·false | ||
| 86 | ······var_xserver_object_manager:·false | 86 | ······var_xserver_object_manager:·false |
| 87 | ······var_xdm_sysadm_login:·false | 87 | ······var_xdm_sysadm_login:·false |
| 88 | ······var_selinuxuser_mysql_connect_enabled:·false | 88 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 89 | ······var_ssh_keysign:·false | ||
| 90 | ······var_xserver_execmem:·false | ||
| 91 | ······var_cron_userdomain_transition:·true | 89 | ······var_cron_userdomain_transition:·true |
| 92 | ······var_secure_mode_insmod:·false | ||
| 93 | ······var_xguest_mount_media:·true | 90 | ······var_xguest_mount_media:·true |
| 94 | ······var_selinuxuser_rw_noexattrfile:·true | 91 | ······var_selinuxuser_rw_noexattrfile:·true |
| 95 | ······var_deny_execmem:·false | 92 | ······var_deny_execmem:·false |
| 96 | ······var_ | 93 | ······var_gpg_web_anon_write:·false |
| 97 | ······var_secure_mode_policyload:·false | ||
| 98 | ······var_abrt_anon_write:·false | 94 | ······var_abrt_anon_write:·false |
| 99 | ······var_ | 95 | ······var_ssh_chroot_rw_homedirs:·false |
| 100 | ······var_logging_syslogd_use_tty:·true | 96 | ······var_logging_syslogd_use_tty:·true |
| 97 | ······var_login_console_enabled:·true | ||
| 101 | ······var_abrt_handle_event:·false | 98 | ······var_abrt_handle_event:·false |
| 99 | ······var_mock_enable_homedirs:·false | ||
| 102 | ······var_unconfined_login:·true | 100 | ······var_unconfined_login:·true |
| 101 | ······var_logging_syslogd_can_sendmail:·false | ||
| 103 | ······var_selinuxuser_postgresql_connect_enabled:·false | 102 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 104 | ······var_abrt_upload_watch_anon_write:·true | 103 | ······var_abrt_upload_watch_anon_write:·true |
| 105 | ······var_daemons_use_tty:·false | 104 | ······var_daemons_use_tty:·false |
| 106 | ······var_selinuxuser_tcp_server:·false | ||
| 107 | ······var_cron_can_relabel:·false | ||
| 108 | ······var_staff_exec_content:·true | ||
| 109 | ······var_selinuxuser_direct_dri_enabled:·true | 105 | ······var_selinuxuser_direct_dri_enabled:·true |
| 106 | ······var_xdm_bind_vnc_tcp_port:·false | ||
| 107 | ······var_xserver_execmem:·false | ||
| 110 | ······var_xserver_clients_write_xshm:·false | 108 | ······var_xserver_clients_write_xshm:·false |
| 111 | ······var_use_ecryptfs_home_dirs:·false | 109 | ······var_use_ecryptfs_home_dirs:·false |
| 112 | ······var_mock_enable_homedirs:·false | ||
| 113 | ······var_xguest_exec_content:·true | 110 | ······var_xguest_exec_content:·true |
| 114 | ······var_ | 111 | ······var_domain_kernel_load_modules:·false |
| 115 | ······var_ | 112 | ······var_ssh_keysign:·false |
| 116 | ······var_ | 113 | ······var_secure_mode_insmod:·false |
| 117 | ······var_selinuxuser_ | 114 | ······var_selinuxuser_execmod:·true |
| 115 | ······var_staff_exec_content:·true | ||
| 118 | ······var_mmap_low_allowed:·false | 116 | ······var_mmap_low_allowed:·false |
| 119 | ······var_selinuxuser_share_music:·false | 117 | ······var_selinuxuser_share_music:·false |
| 120 | ······var_ | 118 | ······var_domain_fd_use:·true |
| 119 | ······var_selinuxuser_udp_server:·false | ||
| 121 | ······var_cron_system_cronjob_use_shares:·false | 120 | ······var_cron_system_cronjob_use_shares:·false |
| 121 | ······var_logadm_exec_content:·true | ||
| 122 | ······var_xguest_connect_network:·true | 122 | ······var_xguest_connect_network:·true |
| 123 | ······var_xdm_write_home:·false | ||
| 124 | ······var_sysadm_exec_content:·true | 123 | ······var_sysadm_exec_content:·true |
| 125 | ······var_xguest_use_bluetooth:·true | 124 | ······var_xguest_use_bluetooth:·true |
| 126 | ······var_ | 125 | ······var_kerberos_enabled:·true |
| 127 | ······var_ | 126 | ······var_guest_exec_content:·true |
| 128 | ······var_daemons_dump_core:·false | 127 | ······var_daemons_dump_core:·false |
| 129 | ······var_xdm_exec_bootloader:·false | 128 | ······var_xdm_exec_bootloader:·false |
| 130 | ······var_fips_mode:·true | 129 | ······var_fips_mode:·true |
| 131 | ······var_polyinstantiation_enabled:·false | 130 | ······var_polyinstantiation_enabled:·false |
| 132 | ······var_domain_kernel_load_modules:·false | ||
| 133 | ······var_selinuxuser_use_ssh_chroot:·false | 131 | ······var_selinuxuser_use_ssh_chroot:·false |
| 134 | ······var_selinuxuser_ping:·true | 132 | ······var_selinuxuser_ping:·true |
| 133 | ······var_secure_mode_policyload:·false | ||
| 134 | ······var_selinuxuser_execheap:·false | ||
| 135 | ······var_secadm_exec_content:·true | 135 | ······var_secadm_exec_content:·true |
| 136 | ······var_selinux_policy_name:·targeted | 136 | ······var_selinux_policy_name:·targeted |
| 137 | ······var_selinux_state:·enforcing | 137 | ······var_selinux_state:·enforcing |
| 138 | ······var_accounts_password_minlen_login_defs:·6 | 138 | ······var_accounts_password_minlen_login_defs:·6 |
| 139 | ······var_accounts_password_warn_age_login_defs:·7 | 139 | ······var_accounts_password_warn_age_login_defs:·7 |
| 140 | ······var_accounts_minimum_age_login_defs:·7 | 140 | ······var_accounts_minimum_age_login_defs:·7 |
| 141 | ······var_accounts_maximum_age_login_defs:·60 | 141 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 155, 22 lines modified | Offset 155, 22 lines modified | ||
| 155 | ······var_password_pam_difok:·8 | 155 | ······var_password_pam_difok:·8 |
| 156 | ······var_password_pam_ocredit:·-1 | 156 | ······var_password_pam_ocredit:·-1 |
| 157 | ······var_password_pam_lcredit:·-1 | 157 | ······var_password_pam_lcredit:·-1 |
| 158 | ······var_password_pam_ucredit:·-1 | 158 | ······var_password_pam_ucredit:·-1 |
| 159 | ······var_password_pam_retry:·3 | 159 | ······var_password_pam_retry:·3 |
| 160 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 160 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 161 | ······var_accounts_user_umask:·077 | 161 | ······var_accounts_user_umask:·077 |
| 162 | ······var_accounts_tmout:·600 | ||
| 163 | ······var_accounts_fail_delay:·4 | 162 | ······var_accounts_fail_delay:·4 |
| 164 | ······var_accounts_max_concurrent_login_sessions:·10 | 163 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 164 | ······var_accounts_tmout:·600 | ||
| 165 | ······var_removable_partition:·/dev/cdrom | 165 | ······var_removable_partition:·/dev/cdrom |
| 166 | ······var_removable_partition:·/dev/cdrom | 166 | ······var_removable_partition:·/dev/cdrom |
| 167 | ······var_removable_partition:·/dev/cdrom | 167 | ······var_removable_partition:·/dev/cdrom |
| 168 | ······var_auditd_action_mail_acct:·root | ||
| 169 | ······var_auditd_max_log_file:·6 | 168 | ······var_auditd_max_log_file:·6 |
| 169 | ······var_auditd_action_mail_acct:·root | ||
| 170 | ······var_auditd_space_left_action:·email | 170 | ······var_auditd_space_left_action:·email |
| 171 | ······var_auditd_admin_space_left_action:·single | 171 | ······var_auditd_admin_space_left_action:·single |
| 172 | ······var_auditd_max_log_file_action:·rotate | 172 | ······var_auditd_max_log_file_action:·rotate |
| 173 | ······inactivity_timeout_value:·600 | 173 | ······inactivity_timeout_value:·600 |
| 174 | ···tasks: | 174 | ···tasks: |
| 175 | ····-·name:·Ensure·rsh·is·removed | 175 | ····-·name:·Ensure·rsh·is·removed |
| 176 | ······package: | 176 | ······package: |
| Offset 205, 54 lines modified | Offset 205, 54 lines modified | ||
| 205 | ········-·CCE-27336-7 | 205 | ········-·CCE-27336-7 |
| 206 | ········-·NIST-800-53-AC-17(8) | 206 | ········-·NIST-800-53-AC-17(8) |
| Max diff block lines reached; 130856/137699 bytes (95.03%) of diff not shown. | |||
| Offset 67, 86 lines modified | Offset 67, 86 lines modified | ||
| 67 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 67 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 68 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | 68 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 |
| 69 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 69 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 70 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 70 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 71 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 71 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 72 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 72 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 73 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 73 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 74 | ······sysctl_net_ipv4_icmp_ | 74 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 75 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 75 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 76 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 76 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 77 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 77 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 78 | ······sysctl_net_ipv4_conf_ | 78 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 79 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 80 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 79 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 81 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 80 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 82 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 81 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 83 | ······sysctl_net_ipv4_ | 82 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 84 | ······sysctl_net_ipv4_c | 83 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 84 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 85 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 | 85 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 86 | ······var_ssh_sysadm_login:·false | 86 | ······var_ssh_sysadm_login:·false |
| 87 | ······var_login_console_enabled:·true | ||
| 88 | ······var_auditadm_exec_content:·true | 87 | ······var_auditadm_exec_content:·true |
| 89 | ······var_selinuxuser_execstack:·true | 88 | ······var_selinuxuser_execstack:·true |
| 90 | ······var_gpg_web_anon_write:·false | ||
| 91 | ······var_mount_anyfile:·true | 89 | ······var_mount_anyfile:·true |
| 92 | ······var_se | 90 | ······var_selinuxuser_tcp_server:·false |
| 93 | ······var_daemons_use_tcp_wrapper:·false | 91 | ······var_daemons_use_tcp_wrapper:·false |
| 92 | ······var_cron_can_relabel:·false | ||
| 94 | ······var_user_exec_content:·true | 93 | ······var_user_exec_content:·true |
| 95 | ······var_deny_ptrace:·false | 94 | ······var_deny_ptrace:·false |
| 96 | ······var_ | 95 | ······var_secure_mode:·false |
| 96 | ······var_xdm_write_home:·false | ||
| 97 | ······var_xserver_object_manager:·false | 97 | ······var_xserver_object_manager:·false |
| 98 | ······var_xdm_sysadm_login:·false | 98 | ······var_xdm_sysadm_login:·false |
| 99 | ······var_selinuxuser_mysql_connect_enabled:·false | 99 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 100 | ······var_ssh_keysign:·false | ||
| 101 | ······var_xserver_execmem:·false | ||
| 102 | ······var_cron_userdomain_transition:·true | 100 | ······var_cron_userdomain_transition:·true |
| 103 | ······var_secure_mode_insmod:·false | ||
| 104 | ······var_xguest_mount_media:·true | 101 | ······var_xguest_mount_media:·true |
| 105 | ······var_selinuxuser_rw_noexattrfile:·true | 102 | ······var_selinuxuser_rw_noexattrfile:·true |
| 106 | ······var_deny_execmem:·false | 103 | ······var_deny_execmem:·false |
| 107 | ······var_ | 104 | ······var_gpg_web_anon_write:·false |
| 108 | ······var_secure_mode_policyload:·false | ||
| 109 | ······var_abrt_anon_write:·false | 105 | ······var_abrt_anon_write:·false |
| 110 | ······var_ | 106 | ······var_ssh_chroot_rw_homedirs:·false |
| 111 | ······var_logging_syslogd_use_tty:·true | 107 | ······var_logging_syslogd_use_tty:·true |
| 108 | ······var_login_console_enabled:·true | ||
| 112 | ······var_abrt_handle_event:·false | 109 | ······var_abrt_handle_event:·false |
| 110 | ······var_mock_enable_homedirs:·false | ||
| 113 | ······var_unconfined_login:·true | 111 | ······var_unconfined_login:·true |
| 112 | ······var_logging_syslogd_can_sendmail:·false | ||
| 114 | ······var_selinuxuser_postgresql_connect_enabled:·false | 113 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 115 | ······var_abrt_upload_watch_anon_write:·true | 114 | ······var_abrt_upload_watch_anon_write:·true |
| 116 | ······var_daemons_use_tty:·false | 115 | ······var_daemons_use_tty:·false |
| 117 | ······var_selinuxuser_tcp_server:·false | ||
| 118 | ······var_cron_can_relabel:·false | ||
| 119 | ······var_staff_exec_content:·true | ||
| 120 | ······var_selinuxuser_direct_dri_enabled:·true | 116 | ······var_selinuxuser_direct_dri_enabled:·true |
| 117 | ······var_xdm_bind_vnc_tcp_port:·false | ||
| 118 | ······var_xserver_execmem:·false | ||
| 121 | ······var_xserver_clients_write_xshm:·false | 119 | ······var_xserver_clients_write_xshm:·false |
| 122 | ······var_use_ecryptfs_home_dirs:·false | 120 | ······var_use_ecryptfs_home_dirs:·false |
| 123 | ······var_mock_enable_homedirs:·false | ||
| 124 | ······var_xguest_exec_content:·true | 121 | ······var_xguest_exec_content:·true |
| 125 | ······var_ | 122 | ······var_domain_kernel_load_modules:·false |
| 126 | ······var_ | 123 | ······var_ssh_keysign:·false |
| 127 | ······var_ | 124 | ······var_secure_mode_insmod:·false |
| 128 | ······var_selinuxuser_ | 125 | ······var_selinuxuser_execmod:·true |
| 126 | ······var_staff_exec_content:·true | ||
| 129 | ······var_mmap_low_allowed:·false | 127 | ······var_mmap_low_allowed:·false |
| 130 | ······var_selinuxuser_share_music:·false | 128 | ······var_selinuxuser_share_music:·false |
| 131 | ······var_ | 129 | ······var_domain_fd_use:·true |
| 130 | ······var_selinuxuser_udp_server:·false | ||
| 132 | ······var_cron_system_cronjob_use_shares:·false | 131 | ······var_cron_system_cronjob_use_shares:·false |
| 132 | ······var_logadm_exec_content:·true | ||
| 133 | ······var_xguest_connect_network:·true | 133 | ······var_xguest_connect_network:·true |
| 134 | ······var_xdm_write_home:·false | ||
| 135 | ······var_sysadm_exec_content:·true | 134 | ······var_sysadm_exec_content:·true |
| 136 | ······var_xguest_use_bluetooth:·true | 135 | ······var_xguest_use_bluetooth:·true |
| 137 | ······var_ | 136 | ······var_kerberos_enabled:·true |
| 138 | ······var_ | 137 | ······var_guest_exec_content:·true |
| 139 | ······var_daemons_dump_core:·false | 138 | ······var_daemons_dump_core:·false |
| 140 | ······var_xdm_exec_bootloader:·false | 139 | ······var_xdm_exec_bootloader:·false |
| 141 | ······var_fips_mode:·true | 140 | ······var_fips_mode:·true |
| 142 | ······var_polyinstantiation_enabled:·false | 141 | ······var_polyinstantiation_enabled:·false |
| 143 | ······var_domain_kernel_load_modules:·false | ||
| 144 | ······var_selinuxuser_use_ssh_chroot:·false | 142 | ······var_selinuxuser_use_ssh_chroot:·false |
| 145 | ······var_selinuxuser_ping:·true | 143 | ······var_selinuxuser_ping:·true |
| 144 | ······var_secure_mode_policyload:·false | ||
| 145 | ······var_selinuxuser_execheap:·false | ||
| 146 | ······var_secadm_exec_content:·true | 146 | ······var_secadm_exec_content:·true |
| 147 | ······var_selinux_policy_name:·targeted | 147 | ······var_selinux_policy_name:·targeted |
| 148 | ······var_selinux_state:·enforcing | 148 | ······var_selinux_state:·enforcing |
| 149 | ······var_accounts_password_minlen_login_defs:·6 | 149 | ······var_accounts_password_minlen_login_defs:·6 |
| 150 | ······var_accounts_password_warn_age_login_defs:·7 | 150 | ······var_accounts_password_warn_age_login_defs:·7 |
| 151 | ······var_accounts_minimum_age_login_defs:·7 | 151 | ······var_accounts_minimum_age_login_defs:·7 |
| 152 | ······var_accounts_maximum_age_login_defs:·60 | 152 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 166, 22 lines modified | Offset 166, 22 lines modified | ||
| 166 | ······var_password_pam_difok:·8 | 166 | ······var_password_pam_difok:·8 |
| 167 | ······var_password_pam_ocredit:·-1 | 167 | ······var_password_pam_ocredit:·-1 |
| 168 | ······var_password_pam_lcredit:·-1 | 168 | ······var_password_pam_lcredit:·-1 |
| 169 | ······var_password_pam_ucredit:·-1 | 169 | ······var_password_pam_ucredit:·-1 |
| 170 | ······var_password_pam_retry:·3 | 170 | ······var_password_pam_retry:·3 |
| 171 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 171 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 172 | ······var_accounts_user_umask:·077 | 172 | ······var_accounts_user_umask:·077 |
| 173 | ······var_accounts_tmout:·600 | ||
| 174 | ······var_accounts_fail_delay:·4 | 173 | ······var_accounts_fail_delay:·4 |
| 175 | ······var_accounts_max_concurrent_login_sessions:·10 | 174 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 175 | ······var_accounts_tmout:·600 | ||
| 176 | ······var_removable_partition:·/dev/cdrom | 176 | ······var_removable_partition:·/dev/cdrom |
| 177 | ······var_removable_partition:·/dev/cdrom | 177 | ······var_removable_partition:·/dev/cdrom |
| 178 | ······var_removable_partition:·/dev/cdrom | 178 | ······var_removable_partition:·/dev/cdrom |
| 179 | ······var_auditd_action_mail_acct:·root | ||
| 180 | ······var_auditd_max_log_file:·6 | 179 | ······var_auditd_max_log_file:·6 |
| 180 | ······var_auditd_action_mail_acct:·root | ||
| 181 | ······var_auditd_space_left_action:·email | 181 | ······var_auditd_space_left_action:·email |
| 182 | ······var_auditd_admin_space_left_action:·single | 182 | ······var_auditd_admin_space_left_action:·single |
| 183 | ······var_auditd_max_log_file_action:·rotate | 183 | ······var_auditd_max_log_file_action:·rotate |
| 184 | ······inactivity_timeout_value:·900 | 184 | ······inactivity_timeout_value:·900 |
| 185 | ···tasks: | 185 | ···tasks: |
| 186 | ····-·name:·Ensure·rsh·is·removed | 186 | ····-·name:·Ensure·rsh·is·removed |
| 187 | ······package: | 187 | ······package: |
| Offset 216, 54 lines modified | Offset 216, 54 lines modified | ||
| 216 | ········-·CCE-27336-7 | 216 | ········-·CCE-27336-7 |
| 217 | ········-·NIST-800-53-AC-17(8) | 217 | ········-·NIST-800-53-AC-17(8) |
| Max diff block lines reached; 130856/137699 bytes (95.03%) of diff not shown. | |||
| Offset 40, 16 lines modified | Offset 40, 16 lines modified | ||
| 40 | ······var_accounts_passwords_pam_faillock_deny:·6 | 40 | ······var_accounts_passwords_pam_faillock_deny:·6 |
| 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 | 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 |
| 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 43 | ······var_password_pam_minlen:·7 | 43 | ······var_password_pam_minlen:·7 |
| 44 | ······var_password_pam_dcredit:·-1 | 44 | ······var_password_pam_dcredit:·-1 |
| 45 | ······var_password_pam_lcredit:·-1 | 45 | ······var_password_pam_lcredit:·-1 |
| 46 | ······var_password_pam_ucredit:·-1 | 46 | ······var_password_pam_ucredit:·-1 |
| 47 | ······var_auditd_action_mail_acct:·admin | ||
| 48 | ······var_auditd_max_log_file:·1 | 47 | ······var_auditd_max_log_file:·1 |
| 48 | ······var_auditd_action_mail_acct:·admin | ||
| 49 | ······var_auditd_space_left_action:·suspend | 49 | ······var_auditd_space_left_action:·suspend |
| 50 | ······var_auditd_admin_space_left_action:·suspend | 50 | ······var_auditd_admin_space_left_action:·suspend |
| 51 | ······var_auditd_max_log_file_action:·rotate | 51 | ······var_auditd_max_log_file_action:·rotate |
| 52 | ······inactivity_timeout_value:·900 | 52 | ······inactivity_timeout_value:·900 |
| 53 | ···tasks: | 53 | ···tasks: |
| 54 | ···· | 54 | ···· |
| 55 | ···· | 55 | ···· |
| Offset 113, 37 lines modified | Offset 113, 14 lines modified | ||
| 113 | ········-·NIST-800-53-IA-5(g) | 113 | ········-·NIST-800-53-IA-5(g) |
| 114 | ········-·NIST-800-53-IA-5(1)(d) | 114 | ········-·NIST-800-53-IA-5(1)(d) |
| 115 | ········-·NIST-800-171-3.5.6 | 115 | ········-·NIST-800-171-3.5.6 |
| 116 | ········-·PCI-DSS-Req-8.2.4 | 116 | ········-·PCI-DSS-Req-8.2.4 |
| 117 | ········-·CJIS-5.6.2.1 | 117 | ········-·CJIS-5.6.2.1 |
| 118 | ········-·DISA-STIG-RHEL-07-010250 | 118 | ········-·DISA-STIG-RHEL-07-010250 |
| 119 | ···· | 119 | ···· |
| 120 | ···· | ||
| 121 | ···· | ||
| 122 | ····-·name:·Set·Account·Expiration·Following·Inactivity | ||
| 123 | ······lineinfile: | ||
| 124 | ········create:·yes | ||
| 125 | ········dest:·/etc/default/useradd | ||
| 126 | ········regexp:·^INACTIVE | ||
| 127 | ········line:·"INACTIVE={{·var_account_disable_post_pw_expiration·}}" | ||
| 128 | ······tags: | ||
| 129 | ········-·account_disable_post_pw_expiration | ||
| 130 | ········-·medium_severity | ||
| 131 | ········-·restrict_strategy | ||
| 132 | ········-·low_complexity | ||
| 133 | ········-·low_disruption | ||
| 134 | ········-·CCE-27355-7 | ||
| 135 | ········-·NIST-800-53-AC-2(2) | ||
| 136 | ········-·NIST-800-53-AC-2(3) | ||
| 137 | ········-·NIST-800-53-IA-4(e) | ||
| 138 | ········-·NIST-800-171-3.5.6 | ||
| 139 | ········-·PCI-DSS-Req-8.1.4 | ||
| 140 | ········-·CJIS-5.6.2.1.1 | ||
| 141 | ········-·DISA-STIG-RHEL-07-010310 | ||
| 142 | ···· | ||
| 143 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" | 120 | ····-·name:·"Prevent·Log·In·to·Accounts·With·Empty·Password·-·system-auth" |
| 144 | ······replace: | 121 | ······replace: |
| 145 | ········dest:·/etc/pam.d/system-auth | 122 | ········dest:·/etc/pam.d/system-auth |
| 146 | ········follow:·yes | 123 | ········follow:·yes |
| 147 | ········regexp:·'nullok' | 124 | ········regexp:·'nullok' |
| 148 | ······tags: | 125 | ······tags: |
| 149 | ········-·no_empty_passwords | 126 | ········-·no_empty_passwords |
| Offset 180, 14 lines modified | Offset 157, 37 lines modified | ||
| 180 | ········-·NIST-800-53-IA-5(1)(a) | 157 | ········-·NIST-800-53-IA-5(1)(a) |
| 181 | ········-·NIST-800-171-3.1.1 | 158 | ········-·NIST-800-171-3.1.1 |
| 182 | ········-·NIST-800-171-3.1.5 | 159 | ········-·NIST-800-171-3.1.5 |
| 183 | ········-·PCI-DSS-Req-8.2.3 | 160 | ········-·PCI-DSS-Req-8.2.3 |
| 184 | ········-·CJIS-5.5.2 | 161 | ········-·CJIS-5.5.2 |
| 185 | ········-·DISA-STIG-RHEL-07-010290 | 162 | ········-·DISA-STIG-RHEL-07-010290 |
| 186 | ···· | 163 | ···· |
| 164 | ···· | ||
| 165 | ···· | ||
| 166 | ····-·name:·Set·Account·Expiration·Following·Inactivity | ||
| 167 | ······lineinfile: | ||
| 168 | ········create:·yes | ||
| 169 | ········dest:·/etc/default/useradd | ||
| 170 | ········regexp:·^INACTIVE | ||
| 171 | ········line:·"INACTIVE={{·var_account_disable_post_pw_expiration·}}" | ||
| 172 | ······tags: | ||
| 173 | ········-·account_disable_post_pw_expiration | ||
| 174 | ········-·medium_severity | ||
| 175 | ········-·restrict_strategy | ||
| 176 | ········-·low_complexity | ||
| 177 | ········-·low_disruption | ||
| 178 | ········-·CCE-27355-7 | ||
| 179 | ········-·NIST-800-53-AC-2(2) | ||
| 180 | ········-·NIST-800-53-AC-2(3) | ||
| 181 | ········-·NIST-800-53-IA-4(e) | ||
| 182 | ········-·NIST-800-171-3.5.6 | ||
| 183 | ········-·PCI-DSS-Req-8.1.4 | ||
| 184 | ········-·CJIS-5.6.2.1.1 | ||
| 185 | ········-·DISA-STIG-RHEL-07-010310 | ||
| 186 | ···· | ||
| 187 | ····-·name:·Set·Password·Hashing·Algorithm·in·/etc/login.defs | 187 | ····-·name:·Set·Password·Hashing·Algorithm·in·/etc/login.defs |
| 188 | ······lineinfile: | 188 | ······lineinfile: |
| 189 | ··········dest:·/etc/login.defs | 189 | ··········dest:·/etc/login.defs |
| 190 | ··········regexp:·^#?ENCRYPT_METHOD | 190 | ··········regexp:·^#?ENCRYPT_METHOD |
| 191 | ··········line:·ENCRYPT_METHOD·SHA512 | 191 | ··········line:·ENCRYPT_METHOD·SHA512 |
| 192 | ··········state:·present | 192 | ··········state:·present |
| 193 | ······tags: | 193 | ······tags: |
| Offset 532, 105 lines modified | Offset 532, 105 lines modified | ||
| 532 | ···· | 532 | ···· |
| 533 | ····-·name:·Find·/etc/passwd·file(s) | 533 | ····-·name:·Find·/etc/passwd·file(s) |
| 534 | ······find: | 534 | ······find: |
| 535 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | 535 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" |
| 536 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | 536 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" |
| 537 | ······register:·files_found | 537 | ······register:·files_found |
| 538 | ······tags: | 538 | ······tags: |
| 539 | ········-·file_owner_etc_passwd | 539 | ········-·file_groupowner_etc_passwd |
| 540 | ········-·medium_severity | 540 | ········-·medium_severity |
| 541 | ········-·configure_strategy | 541 | ········-·configure_strategy |
| 542 | ········-·low_complexity | 542 | ········-·low_complexity |
| 543 | ········-·low_disruption | 543 | ········-·low_disruption |
| 544 | ········-·CCE-2 | 544 | ········-·CCE-26639-5 |
| 545 | ········-·NIST-800-53-AC-6 | 545 | ········-·NIST-800-53-AC-6 |
| 546 | ········-·PCI-DSS-Req-8.7.c | 546 | ········-·PCI-DSS-Req-8.7.c |
| 547 | ········-·CJIS-5.5.2.2 | 547 | ········-·CJIS-5.5.2.2 |
| 548 | ···· | 548 | ···· |
| 549 | ····-·name:·Set· | 549 | ····-·name:·Set·group·ownership·to·root |
| 550 | ······file: | 550 | ······file: |
| 551 | ········path:·"{{·item.path·}}" | 551 | ········path:·"{{·item.path·}}" |
| 552 | ········ | 552 | ········group:·root |
| 553 | ······with_items: | 553 | ······with_items: |
| 554 | ········-·"{{·files_found.files·}}" | 554 | ········-·"{{·files_found.files·}}" |
| 555 | ······tags: | 555 | ······tags: |
| 556 | ········-·file_owner_etc_passwd | 556 | ········-·file_groupowner_etc_passwd |
| 557 | ········-·medium_severity | 557 | ········-·medium_severity |
| 558 | ········-·configure_strategy | 558 | ········-·configure_strategy |
| 559 | ········-·low_complexity | 559 | ········-·low_complexity |
| 560 | ········-·low_disruption | 560 | ········-·low_disruption |
| 561 | ········-·CCE-2 | 561 | ········-·CCE-26639-5 |
| 562 | ········-·NIST-800-53-AC-6 | 562 | ········-·NIST-800-53-AC-6 |
| 563 | ········-·PCI-DSS-Req-8.7.c | 563 | ········-·PCI-DSS-Req-8.7.c |
| 564 | ········-·CJIS-5.5.2.2 | 564 | ········-·CJIS-5.5.2.2 |
| Max diff block lines reached; 30903/34829 bytes (88.73%) of diff not shown. | |||
| Offset 1005, 14 lines modified | Offset 1005, 48 lines modified | ||
| 1005 | ········-·low_disruption | 1005 | ········-·low_disruption |
| 1006 | ········-·CCE-26949-8 | 1006 | ········-·CCE-26949-8 |
| 1007 | ········-·NIST-800-53-AC-6 | 1007 | ········-·NIST-800-53-AC-6 |
| 1008 | ········-·PCI-DSS-Req-8.7.c | 1008 | ········-·PCI-DSS-Req-8.7.c |
| 1009 | ········-·CJIS-5.5.2.2 | 1009 | ········-·CJIS-5.5.2.2 |
| 1010 | ···· | 1010 | ···· |
| 1011 | ···· | 1011 | ···· |
| 1012 | ····-·name:·Find·/etc/passwd·file(s) | ||
| 1013 | ······find: | ||
| 1014 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | ||
| 1015 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | ||
| 1016 | ······register:·files_found | ||
| 1017 | ······tags: | ||
| 1018 | ········-·file_groupowner_etc_passwd | ||
| 1019 | ········-·medium_severity | ||
| 1020 | ········-·configure_strategy | ||
| 1021 | ········-·low_complexity | ||
| 1022 | ········-·low_disruption | ||
| 1023 | ········-·CCE-26639-5 | ||
| 1024 | ········-·NIST-800-53-AC-6 | ||
| 1025 | ········-·PCI-DSS-Req-8.7.c | ||
| 1026 | ········-·CJIS-5.5.2.2 | ||
| 1027 | ···· | ||
| 1028 | ····-·name:·Set·group·ownership·to·root | ||
| 1029 | ······file: | ||
| 1030 | ········path:·"{{·item.path·}}" | ||
| 1031 | ········group:·root | ||
| 1032 | ······with_items: | ||
| 1033 | ········-·"{{·files_found.files·}}" | ||
| 1034 | ······tags: | ||
| 1035 | ········-·file_groupowner_etc_passwd | ||
| 1036 | ········-·medium_severity | ||
| 1037 | ········-·configure_strategy | ||
| 1038 | ········-·low_complexity | ||
| 1039 | ········-·low_disruption | ||
| 1040 | ········-·CCE-26639-5 | ||
| 1041 | ········-·NIST-800-53-AC-6 | ||
| 1042 | ········-·PCI-DSS-Req-8.7.c | ||
| 1043 | ········-·CJIS-5.5.2.2 | ||
| 1044 | ···· | ||
| 1045 | ···· | ||
| 1012 | ····-·name:·Find·/etc/gshadow·file(s) | 1046 | ····-·name:·Find·/etc/gshadow·file(s) |
| 1013 | ······find: | 1047 | ······find: |
| 1014 | ········paths:·"{{·'/etc/gshadow'·|·dirname·}}" | 1048 | ········paths:·"{{·'/etc/gshadow'·|·dirname·}}" |
| 1015 | ········patterns:·"{{·'/etc/gshadow'·|·basename·}}" | 1049 | ········patterns:·"{{·'/etc/gshadow'·|·basename·}}" |
| 1016 | ······register:·files_found | 1050 | ······register:·files_found |
| 1017 | ······tags: | 1051 | ······tags: |
| 1018 | ········-·file_groupowner_etc_gshadow | 1052 | ········-·file_groupowner_etc_gshadow |
| Offset 1168, 48 lines modified | Offset 1202, 14 lines modified | ||
| 1168 | ···· | 1202 | ···· |
| 1169 | ···· | 1203 | ···· |
| 1170 | ····-·name:·Find·/etc/passwd·file(s) | 1204 | ····-·name:·Find·/etc/passwd·file(s) |
| 1171 | ······find: | 1205 | ······find: |
| 1172 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | 1206 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" |
| 1173 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | 1207 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" |
| 1174 | ······register:·files_found | 1208 | ······register:·files_found |
| 1175 | ······tags: | ||
| 1176 | ········-·file_groupowner_etc_passwd | ||
| 1177 | ········-·medium_severity | ||
| 1178 | ········-·configure_strategy | ||
| 1179 | ········-·low_complexity | ||
| 1180 | ········-·low_disruption | ||
| 1181 | ········-·CCE-26639-5 | ||
| 1182 | ········-·NIST-800-53-AC-6 | ||
| 1183 | ········-·PCI-DSS-Req-8.7.c | ||
| 1184 | ········-·CJIS-5.5.2.2 | ||
| 1185 | ···· | ||
| 1186 | ····-·name:·Set·group·ownership·to·root | ||
| 1187 | ······file: | ||
| 1188 | ········path:·"{{·item.path·}}" | ||
| 1189 | ········group:·root | ||
| 1190 | ······with_items: | ||
| 1191 | ········-·"{{·files_found.files·}}" | ||
| 1192 | ······tags: | ||
| 1193 | ········-·file_groupowner_etc_passwd | ||
| 1194 | ········-·medium_severity | ||
| 1195 | ········-·configure_strategy | ||
| 1196 | ········-·low_complexity | ||
| 1197 | ········-·low_disruption | ||
| 1198 | ········-·CCE-26639-5 | ||
| 1199 | ········-·NIST-800-53-AC-6 | ||
| 1200 | ········-·PCI-DSS-Req-8.7.c | ||
| 1201 | ········-·CJIS-5.5.2.2 | ||
| 1202 | ···· | ||
| 1203 | ···· | ||
| 1204 | ····-·name:·Find·/etc/passwd·file(s) | ||
| 1205 | ······find: | ||
| 1206 | ········paths:·"{{·'/etc/passwd'·|·dirname·}}" | ||
| 1207 | ········patterns:·"{{·'/etc/passwd'·|·basename·}}" | ||
| 1208 | ······register:·files_found | ||
| 1209 | ······tags: | 1209 | ······tags: |
| 1210 | ········-·file_permissions_etc_passwd | 1210 | ········-·file_permissions_etc_passwd |
| 1211 | ········-·medium_severity | 1211 | ········-·medium_severity |
| 1212 | ········-·configure_strategy | 1212 | ········-·configure_strategy |
| 1213 | ········-·low_complexity | 1213 | ········-·low_complexity |
| 1214 | ········-·low_disruption | 1214 | ········-·low_disruption |
| 1215 | ········-·CCE-26887-0 | 1215 | ········-·CCE-26887-0 |
| Offset 265, 37 lines modified | Offset 265, 14 lines modified | ||
| 265 | ········-·unknown_severity | 265 | ········-·unknown_severity |
| 266 | ········-·restrict_strategy | 266 | ········-·restrict_strategy |
| 267 | ········-·low_complexity | 267 | ········-·low_complexity |
| 268 | ········-·medium_disruption | 268 | ········-·medium_disruption |
| 269 | ········-·CCE-80200-9 | 269 | ········-·CCE-80200-9 |
| 270 | ········-·NIST-800-53-CM-6(b) | 270 | ········-·NIST-800-53-CM-6(b) |
| 271 | ···· | 271 | ···· |
| 272 | ····-·name:·Disable·service·autofs | ||
| 273 | ······service: | ||
| 274 | ········name="{{item}}" | ||
| 275 | ········enabled="no" | ||
| 276 | ········state="stopped" | ||
| 277 | ······register:·service_result | ||
| 278 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 279 | ······with_items: | ||
| 280 | ········-·autofs | ||
| 281 | ······tags: | ||
| 282 | ········-·service_autofs_disabled | ||
| 283 | ········-·medium_severity | ||
| 284 | ········-·disable_strategy | ||
| 285 | ········-·low_complexity | ||
| 286 | ········-·low_disruption | ||
| 287 | ········-·CCE-27498-5 | ||
| 288 | ········-·NIST-800-53-AC-19(a) | ||
| 289 | ········-·NIST-800-53-AC-19(d) | ||
| 290 | ········-·NIST-800-53-AC-19(e) | ||
| 291 | ········-·NIST-800-53-IA-3 | ||
| 292 | ········-·NIST-800-171-3.4.6 | ||
| 293 | ········-·DISA-STIG-RHEL-07-020110 | ||
| 294 | ···· | ||
| 295 | ····-·name:·get·back·device·associated·to·mountpoint | 272 | ····-·name:·get·back·device·associated·to·mountpoint |
| 296 | ······shell:·mount·|·grep·'·/dev/shm·'·|cut·-d·'·'·-f·1 | 273 | ······shell:·mount·|·grep·'·/dev/shm·'·|cut·-d·'·'·-f·1 |
| 297 | ······register:·device_name | 274 | ······register:·device_name |
| 298 | ······check_mode:·no | 275 | ······check_mode:·no |
| 299 | ······tags: | 276 | ······tags: |
| 300 | ········-·mount_option_dev_shm_nosuid | 277 | ········-·mount_option_dev_shm_nosuid |
| 301 | ········-·unknown_severity | 278 | ········-·unknown_severity |
| Offset 406, 14 lines modified | Offset 383, 37 lines modified | ||
| 406 | ········-·configure_strategy | 383 | ········-·configure_strategy |
| 407 | ········-·low_complexity | 384 | ········-·low_complexity |
| 408 | ········-·high_disruption | 385 | ········-·high_disruption |
| 409 | ········-·CCE-80152-2 | 386 | ········-·CCE-80152-2 |
| 410 | ········-·NIST-800-53-CM-7 | 387 | ········-·NIST-800-53-CM-7 |
| 411 | ········-·NIST-800-53-MP-2 | 388 | ········-·NIST-800-53-MP-2 |
| 412 | ···· | 389 | ···· |
| 390 | ····-·name:·Disable·service·autofs | ||
| 391 | ······service: | ||
| 392 | ········name="{{item}}" | ||
| 393 | ········enabled="no" | ||
| 394 | ········state="stopped" | ||
| 395 | ······register:·service_result | ||
| 396 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 397 | ······with_items: | ||
| 398 | ········-·autofs | ||
| 399 | ······tags: | ||
| 400 | ········-·service_autofs_disabled | ||
| 401 | ········-·medium_severity | ||
| 402 | ········-·disable_strategy | ||
| 403 | ········-·low_complexity | ||
| 404 | ········-·low_disruption | ||
| 405 | ········-·CCE-27498-5 | ||
| 406 | ········-·NIST-800-53-AC-19(a) | ||
| 407 | ········-·NIST-800-53-AC-19(d) | ||
| 408 | ········-·NIST-800-53-AC-19(e) | ||
| 409 | ········-·NIST-800-53-IA-3 | ||
| 410 | ········-·NIST-800-171-3.4.6 | ||
| 411 | ········-·DISA-STIG-RHEL-07-020110 | ||
| 412 | ···· | ||
| 413 | ···· | 413 | ···· |
| 414 | ····# | 414 | ····# |
| 415 | ····#·What·architecture·are·we·on? | 415 | ····#·What·architecture·are·we·on? |
| 416 | ····# | 416 | ····# |
| 417 | ····-·name:·Set·architecture·for·audit·fchown·tasks | 417 | ····-·name:·Set·architecture·for·audit·fchown·tasks |
| 418 | ······set_fact: | 418 | ······set_fact: |
| 419 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" | 419 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" |
| Offset 970, 154 lines modified | Offset 970, 14 lines modified | ||
| 970 | ········-·CJIS-5.4.1.1 | 970 | ········-·CJIS-5.4.1.1 |
| 971 | ········-·DISA-STIG-RHEL-07-030460 | 971 | ········-·DISA-STIG-RHEL-07-030460 |
| 972 | ···· | 972 | ···· |
| 973 | ···· | 973 | ···· |
| 974 | ····# | 974 | ····# |
| 975 | ····#·What·architecture·are·we·on? | 975 | ····#·What·architecture·are·we·on? |
| 976 | ····# | 976 | ····# |
| 977 | ····-·name:·Set·architecture·for·audit·chmod·tasks | ||
| 978 | ······set_fact: | ||
| 979 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" | ||
| 980 | ···· | ||
| 981 | ····# | ||
| 982 | ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d | ||
| 983 | ····# | ||
| 984 | ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules | ||
| 985 | ······find: | ||
| 986 | ········paths:·"/etc/audit/rules.d" | ||
| 987 | ········recurse:·no | ||
| 988 | ········contains:·"-F·key=perm_mod$" | ||
| 989 | ········patterns:·"*.rules" | ||
| 990 | ······register:·find_chmod | ||
| 991 | ···· | ||
| 992 | ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule | ||
| 993 | ······set_fact: | ||
| 994 | ········all_files:· | ||
| 995 | ··········-·/etc/audit/rules.d/privileged.rules | ||
| 996 | ······when:·find_chmod.matched·==·0 | ||
| 997 | ···· | ||
| 998 | ····-·name:·Use·matched·file·as·the·recipient·for·the·rule | ||
| 999 | ······set_fact: | ||
| 1000 | ········all_files: | ||
| 1001 | ··········-·"{{·find_chmod.files·|·map(attribute='path')·|·list·|·first·}}" | ||
| 1002 | ······when:·find_chmod.matched·>·0 | ||
| 1003 | ···· | ||
| 1004 | ····-·name:·Inserts/replaces·the·chmod·rule·in·rules.d·when·on·x86 | ||
| 1005 | ······lineinfile: | ||
| 1006 | ········path:·"{{·all_files[0]·}}" | ||
| 1007 | ········line:·"-a·always,exit·-F·arch=b32·-S·chmod·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" | ||
| 1008 | ········create:·yes | ||
| 1009 | ······tags: | ||
| 1010 | ········-·audit_rules_dac_modification_chmod | ||
| 1011 | ········-·unknown_severity | ||
| 1012 | ········-·restrict_strategy | ||
| 1013 | ········-·low_complexity | ||
| 1014 | ········-·low_disruption | ||
| 1015 | ········-·CCE-27339-1 | ||
| 1016 | ········-·NIST-800-53-AC-17(7) | ||
| 1017 | ········-·NIST-800-53-AU-1(b) | ||
| 1018 | ········-·NIST-800-53-AU-2(a) | ||
| 1019 | ········-·NIST-800-53-AU-2(c) | ||
| 1020 | ········-·NIST-800-53-AU-2(d) | ||
| Max diff block lines reached; 17435/24355 bytes (71.59%) of diff not shown. | |||
| Offset 43, 18 lines modified | Offset 43, 18 lines modified | ||
| 43 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 43 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 44 | ·········· | 44 | ·········· |
| 45 | ···vars: | 45 | ···vars: |
| 46 | ······sshd_idle_timeout_value:·600 | 46 | ······sshd_idle_timeout_value:·600 |
| 47 | ······rsyslog_remote_loghost_address:·logcollector | 47 | ······rsyslog_remote_loghost_address:·logcollector |
| 48 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 48 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 50 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 53 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 | 51 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | ||
| 54 | ······var_selinux_policy_name:·targeted | 54 | ······var_selinux_policy_name:·targeted |
| 55 | ······var_selinux_state:·enforcing | 55 | ······var_selinux_state:·enforcing |
| 56 | ······var_accounts_minimum_age_login_defs:·1 | 56 | ······var_accounts_minimum_age_login_defs:·1 |
| 57 | ······var_accounts_maximum_age_login_defs:·60 | 57 | ······var_accounts_maximum_age_login_defs:·60 |
| 58 | ······var_account_disable_post_pw_expiration:·0 | 58 | ······var_account_disable_post_pw_expiration:·0 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·never | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·never |
| Offset 71, 17 lines modified | Offset 71, 17 lines modified | ||
| 71 | ······var_password_pam_difok:·8 | 71 | ······var_password_pam_difok:·8 |
| 72 | ······var_password_pam_ocredit:·-1 | 72 | ······var_password_pam_ocredit:·-1 |
| 73 | ······var_password_pam_lcredit:·-1 | 73 | ······var_password_pam_lcredit:·-1 |
| 74 | ······var_password_pam_ucredit:·-1 | 74 | ······var_password_pam_ucredit:·-1 |
| 75 | ······var_password_pam_retry:·3 | 75 | ······var_password_pam_retry:·3 |
| 76 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) | 76 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) |
| 77 | ······var_accounts_user_umask:·077 | 77 | ······var_accounts_user_umask:·077 |
| 78 | ······var_accounts_tmout:·600 | ||
| 79 | ······var_accounts_fail_delay:·4 | 78 | ······var_accounts_fail_delay:·4 |
| 80 | ······var_accounts_max_concurrent_login_sessions:·10 | 79 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 80 | ······var_accounts_tmout:·600 | ||
| 81 | ······var_removable_partition:·/dev/cdrom | 81 | ······var_removable_partition:·/dev/cdrom |
| 82 | ······var_auditd_action_mail_acct:·root | 82 | ······var_auditd_action_mail_acct:·root |
| 83 | ······var_auditd_space_left_action:·email | 83 | ······var_auditd_space_left_action:·email |
| 84 | ······inactivity_timeout_value:·900 | 84 | ······inactivity_timeout_value:·900 |
| 85 | ···tasks: | 85 | ···tasks: |
| 86 | ····-·name:·Ensure·rsh-server·is·removed | 86 | ····-·name:·Ensure·rsh-server·is·removed |
| 87 | ······package: | 87 | ······package: |
| Offset 790, 33 lines modified | Offset 790, 14 lines modified | ||
| 790 | ········-·low_disruption | 790 | ········-·low_disruption |
| 791 | ········-·CCE-27343-3 | 791 | ········-·CCE-27343-3 |
| 792 | ········-·NIST-800-53-AU-3(2) | 792 | ········-·NIST-800-53-AU-3(2) |
| 793 | ········-·NIST-800-53-AU-4(1) | 793 | ········-·NIST-800-53-AU-4(1) |
| 794 | ········-·NIST-800-53-AU-9 | 794 | ········-·NIST-800-53-AU-9 |
| 795 | ········-·DISA-STIG-RHEL-07-031000 | 795 | ········-·DISA-STIG-RHEL-07-031000 |
| 796 | ···· | 796 | ···· |
| 797 | ···· | ||
| 798 | ···· | ||
| 799 | ····-·name:·Ensure·sysctl·net.ipv6.conf.all.accept_source_route·is·set | ||
| 800 | ······sysctl: | ||
| 801 | ········name:·net.ipv6.conf.all.accept_source_route | ||
| 802 | ········value:·"{{·sysctl_net_ipv6_conf_all_accept_source_route_value·}}" | ||
| 803 | ········state:·present | ||
| 804 | ········reload:·yes | ||
| 805 | ······tags: | ||
| 806 | ········-·sysctl_net_ipv6_conf_all_accept_source_route | ||
| 807 | ········-·medium_severity | ||
| 808 | ········-·disable_strategy | ||
| 809 | ········-·low_complexity | ||
| 810 | ········-·medium_disruption | ||
| 811 | ········-·CCE-80179-5 | ||
| 812 | ········-·NIST-800-53-AC-4 | ||
| 813 | ········-·NIST-800-171-3.1.20 | ||
| 814 | ········-·DISA-STIG-RHEL-07-040830 | ||
| 815 | ···· | ||
| 816 | ····-·name:·Enable·service·firewalld | 797 | ····-·name:·Enable·service·firewalld |
| 817 | ······service: | 798 | ······service: |
| 818 | ········name="{{item}}" | 799 | ········name="{{item}}" |
| 819 | ········enabled="yes" | 800 | ········enabled="yes" |
| 820 | ········state="started" | 801 | ········state="started" |
| 821 | ······with_items: | 802 | ······with_items: |
| 822 | ········-·firewalld | 803 | ········-·firewalld |
| Offset 830, 14 lines modified | Offset 811, 33 lines modified | ||
| 830 | ········-·NIST-800-53-CM-6(b) | 811 | ········-·NIST-800-53-CM-6(b) |
| 831 | ········-·NIST-800-171-3.1.3 | 812 | ········-·NIST-800-171-3.1.3 |
| 832 | ········-·NIST-800-171-3.4.7 | 813 | ········-·NIST-800-171-3.4.7 |
| 833 | ········-·DISA-STIG-RHEL-07-040520 | 814 | ········-·DISA-STIG-RHEL-07-040520 |
| 834 | ···· | 815 | ···· |
| 835 | ···· | 816 | ···· |
| 836 | ···· | 817 | ···· |
| 818 | ····-·name:·Ensure·sysctl·net.ipv6.conf.all.accept_source_route·is·set | ||
| 819 | ······sysctl: | ||
| 820 | ········name:·net.ipv6.conf.all.accept_source_route | ||
| 821 | ········value:·"{{·sysctl_net_ipv6_conf_all_accept_source_route_value·}}" | ||
| 822 | ········state:·present | ||
| 823 | ········reload:·yes | ||
| 824 | ······tags: | ||
| 825 | ········-·sysctl_net_ipv6_conf_all_accept_source_route | ||
| 826 | ········-·medium_severity | ||
| 827 | ········-·disable_strategy | ||
| 828 | ········-·low_complexity | ||
| 829 | ········-·medium_disruption | ||
| 830 | ········-·CCE-80179-5 | ||
| 831 | ········-·NIST-800-53-AC-4 | ||
| 832 | ········-·NIST-800-171-3.1.20 | ||
| 833 | ········-·DISA-STIG-RHEL-07-040830 | ||
| 834 | ···· | ||
| 835 | ···· | ||
| 836 | ···· | ||
| 837 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_source_route·is·set | 837 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_source_route·is·set |
| 838 | ······sysctl: | 838 | ······sysctl: |
| 839 | ········name:·net.ipv4.conf.default.accept_source_route | 839 | ········name:·net.ipv4.conf.default.accept_source_route |
| 840 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_source_route_value·}}" | 840 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_source_route_value·}}" |
| 841 | ········state:·present | 841 | ········state:·present |
| 842 | ········reload:·yes | 842 | ········reload:·yes |
| 843 | ······tags: | 843 | ······tags: |
| Offset 853, 56 lines modified | Offset 853, 55 lines modified | ||
| 853 | ········-·NIST-800-53-SC-7 | 853 | ········-·NIST-800-53-SC-7 |
| 854 | ········-·NIST-800-171-3.1.20 | 854 | ········-·NIST-800-171-3.1.20 |
| 855 | ········-·CJIS-5.10.1.1 | 855 | ········-·CJIS-5.10.1.1 |
| 856 | ········-·DISA-STIG-RHEL-07-040620 | 856 | ········-·DISA-STIG-RHEL-07-040620 |
| 857 | ···· | 857 | ···· |
| 858 | ···· | 858 | ···· |
| 859 | ···· | 859 | ···· |
| 860 | ····-·name:·Ensure·sysctl·net.ipv4. | 860 | ····-·name:·Ensure·sysctl·net.ipv4.conf.default.accept_redirects·is·set |
| 861 | ······sysctl: | 861 | ······sysctl: |
| 862 | ········name:·net.ipv4. | 862 | ········name:·net.ipv4.conf.default.accept_redirects |
| 863 | ········value:·"{{·sysctl_net_ipv4_ | 863 | ········value:·"{{·sysctl_net_ipv4_conf_default_accept_redirects_value·}}" |
| 864 | ········state:·present | 864 | ········state:·present |
| 865 | ········reload:·yes | 865 | ········reload:·yes |
| 866 | ······tags: | 866 | ······tags: |
| 867 | ········-·sysctl_net_ipv4_ | 867 | ········-·sysctl_net_ipv4_conf_default_accept_redirects |
| 868 | ········-·medium_severity | 868 | ········-·medium_severity |
| 869 | ········-·disable_strategy | 869 | ········-·disable_strategy |
| 870 | ········-·low_complexity | 870 | ········-·low_complexity |
| 871 | ········-·medium_disruption | 871 | ········-·medium_disruption |
| Max diff block lines reached; 74412/81586 bytes (91.21%) of diff not shown. | |||
| Offset 115, 61 lines modified | Offset 115, 17 lines modified | ||
| 115 | } | 115 | } |
| 116 | package_remove·httpd | 116 | package_remove·httpd |
| 117 | #·END·fix·for·'package_httpd_removed' | 117 | #·END·fix·for·'package_httpd_removed' |
| 118 | ############################################################################### | 118 | ############################################################################### |
| 119 | #·BEGIN·fix·(3·/·188)·for·' | 119 | #·BEGIN·fix·(3·/·188)·for·'service_ntpd_enabled' |
| 120 | ############################################################################### | 120 | ############################################################################### |
| 121 | (>&2·echo·"Remediating·rule·3/188:·' | 121 | (>&2·echo·"Remediating·rule·3/188:·'service_ntpd_enabled'") |
| 122 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 123 | # | ||
| 124 | #·Example·Call(s): | ||
| 125 | # | ||
| 126 | #·····package_remove·telnet-server | ||
| 127 | # | ||
| 128 | function·package_remove·{ | ||
| 129 | #·Load·function·arguments·into·local·variables | ||
| 130 | local·package="$1" | ||
| 131 | #·Check·sanity·of·the·input | ||
| 132 | if·[·$#·-ne·"1"·] | ||
| 133 | then | ||
| 134 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 135 | ··echo·"Aborting." | ||
| 136 | ··exit·1 | ||
| 137 | fi | ||
| 138 | if·which·dnf·;·then | ||
| 139 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 140 | ····dnf·remove·-y·"$package" | ||
| 141 | ··fi | ||
| 142 | elif·which·yum·;·then | ||
| 143 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 144 | ····yum·remove·-y·"$package" | ||
| 145 | ··fi | ||
| 146 | elif·which·apt-get·;·then | ||
| 147 | ··apt-get·remove·-y·"$package" | ||
| 148 | else | ||
| 149 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 150 | ··echo·"Aborting." | ||
| 151 | ··exit·1 | ||
| 152 | fi | ||
| 153 | } | ||
| 154 | package_remove·dhcp | ||
| 155 | #·END·fix·for·'package_dhcp_removed' | ||
| 156 | ############################################################################### | ||
| 157 | #·BEGIN·fix·(4·/·188)·for·'service_ntpd_enabled' | ||
| 158 | ############################################################################### | ||
| 159 | (>&2·echo·"Remediating·rule·4/188:·'service_ntpd_enabled'") | ||
| 160 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 122 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 161 | # | 123 | # |
| 162 | #·Example·Call(s): | 124 | #·Example·Call(s): |
| 163 | # | 125 | # |
| 164 | #·····service_command·enable·bluetooth | 126 | #·····service_command·enable·bluetooth |
| 165 | #·····service_command·disable·bluetooth.service | 127 | #·····service_command·disable·bluetooth.service |
| 166 | # | 128 | # |
| Offset 241, 31 lines modified | Offset 197, 31 lines modified | ||
| 241 | } | 197 | } |
| 242 | service_command·enable·ntpd | 198 | service_command·enable·ntpd |
| 243 | #·END·fix·for·'service_ntpd_enabled' | 199 | #·END·fix·for·'service_ntpd_enabled' |
| 244 | ############################################################################### | 200 | ############################################################################### |
| 245 | #·BEGIN·fix·( | 201 | #·BEGIN·fix·(4·/·188)·for·'ntpd_specify_remote_server' |
| 246 | ############################################################################### | 202 | ############################################################################### |
| 247 | (>&2·echo·"Remediating·rule· | 203 | (>&2·echo·"Remediating·rule·4/188:·'ntpd_specify_remote_server'") |
| 248 | #·FIX·FOR·THIS·RULE·IS·MISSING | 204 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 249 | #·END·fix·for·'ntpd_specify_ | 205 | #·END·fix·for·'ntpd_specify_remote_server' |
| 250 | ############################################################################### | 206 | ############################################################################### |
| 251 | #·BEGIN·fix·( | 207 | #·BEGIN·fix·(5·/·188)·for·'ntpd_specify_multiple_servers' |
| 252 | ############################################################################### | 208 | ############################################################################### |
| 253 | (>&2·echo·"Remediating·rule· | 209 | (>&2·echo·"Remediating·rule·5/188:·'ntpd_specify_multiple_servers'") |
| 254 | #·FIX·FOR·THIS·RULE·IS·MISSING | 210 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 255 | #·END·fix·for·'ntpd_specify_ | 211 | #·END·fix·for·'ntpd_specify_multiple_servers' |
| 256 | ############################################################################### | 212 | ############################################################################### |
| 257 | #·BEGIN·fix·( | 213 | #·BEGIN·fix·(6·/·188)·for·'service_cups_disabled' |
| 258 | ############################################################################### | 214 | ############################################################################### |
| 259 | (>&2·echo·"Remediating·rule· | 215 | (>&2·echo·"Remediating·rule·6/188:·'service_cups_disabled'") |
| 260 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 216 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 261 | # | 217 | # |
| 262 | #·Example·Call(s): | 218 | #·Example·Call(s): |
| 263 | # | 219 | # |
| 264 | #·····service_command·enable·bluetooth | 220 | #·····service_command·enable·bluetooth |
| 265 | #·····service_command·disable·bluetooth.service | 221 | #·····service_command·disable·bluetooth.service |
| 266 | # | 222 | # |
| Offset 337, 17 lines modified | Offset 293, 17 lines modified | ||
| 337 | } | 293 | } |
| 338 | service_command·disable·cups | 294 | service_command·disable·cups |
| 339 | #·END·fix·for·'service_cups_disabled' | 295 | #·END·fix·for·'service_cups_disabled' |
| 340 | ############################################################################### | 296 | ############################################################################### |
| 341 | #·BEGIN·fix·( | 297 | #·BEGIN·fix·(7·/·188)·for·'package_net-snmp_removed' |
| 342 | ############################################################################### | 298 | ############################################################################### |
| 343 | (>&2·echo·"Remediating·rule· | 299 | (>&2·echo·"Remediating·rule·7/188:·'package_net-snmp_removed'") |
| 344 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 300 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 345 | # | 301 | # |
| 346 | #·Example·Call(s): | 302 | #·Example·Call(s): |
| 347 | # | 303 | # |
| 348 | #·····package_remove·telnet-server | 304 | #·····package_remove·telnet-server |
| 349 | # | 305 | # |
| 350 | function·package_remove·{ | 306 | function·package_remove·{ |
| Offset 381, 225 lines modified | Offset 337, 17 lines modified | ||
| 381 | } | 337 | } |
| 382 | package_remove·net-snmp | 338 | package_remove·net-snmp |
| 383 | #·END·fix·for·'package_net-snmp_removed' | 339 | #·END·fix·for·'package_net-snmp_removed' |
| 384 | ############################################################################### | 340 | ############################################################################### |
| 385 | #·BEGIN·fix·( | 341 | #·BEGIN·fix·(8·/·188)·for·'package_rsh_removed' |
| 386 | ############################################################################### | 342 | ############################################################################### |
| 387 | (>&2·echo·"Remediating·rule· | 343 | (>&2·echo·"Remediating·rule·8/188:·'package_rsh_removed'") |
| 388 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 389 | # | ||
| 390 | #·Example·Call(s): | ||
| 391 | # | ||
| 392 | #·····service_command·enable·bluetooth | ||
| Max diff block lines reached; 431773/442964 bytes (97.47%) of diff not shown. | |||
| Offset 18, 26 lines modified | Offset 18, 26 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·313)·for·'ftp_ | 24 | #·BEGIN·fix·(1·/·313)·for·'ftp_present_banner' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/313:·'ftp_ | 26 | (>&2·echo·"Remediating·rule·1/313:·'ftp_present_banner'") |
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | 27 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 28 | #·END·fix·for·'ftp_ | 28 | #·END·fix·for·'ftp_present_banner' |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | #·BEGIN·fix·(2·/·313)·for·'ftp_ | 30 | #·BEGIN·fix·(2·/·313)·for·'ftp_log_transactions' |
| 31 | ############################################################################### | 31 | ############################################################################### |
| 32 | (>&2·echo·"Remediating·rule·2/313:·'ftp_ | 32 | (>&2·echo·"Remediating·rule·2/313:·'ftp_log_transactions'") |
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | 33 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 34 | #·END·fix·for·'ftp_ | 34 | #·END·fix·for·'ftp_log_transactions' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled' | 36 | #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'") | 38 | (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'") |
| 39 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 39 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 40 | # | 40 | # |
| Offset 280, 19 lines modified | Offset 280, 19 lines modified | ||
| 280 | #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support' | 280 | #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support' |
| 281 | ############################################################################### | 281 | ############################################################################### |
| 282 | (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'") | 282 | (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'") |
| 283 | #·FIX·FOR·THIS·RULE·IS·MISSING | 283 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 284 | #·END·fix·for·'httpd_cgi_support' | 284 | #·END·fix·for·'httpd_cgi_support' |
| 285 | ############################################################################### | 285 | ############################################################################### |
| 286 | #·BEGIN·fix·(17·/·313)·for·'httpd_ | 286 | #·BEGIN·fix·(17·/·313)·for·'httpd_digest_authentication' |
| 287 | ############################################################################### | 287 | ############################################################################### |
| 288 | (>&2·echo·"Remediating·rule·17/313:·'httpd_ | 288 | (>&2·echo·"Remediating·rule·17/313:·'httpd_digest_authentication'") |
| 289 | #·FIX·FOR·THIS·RULE·IS·MISSING | 289 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 290 | #·END·fix·for·'httpd_ | 290 | #·END·fix·for·'httpd_digest_authentication' |
| 291 | ############################################################################### | 291 | ############################################################################### |
| 292 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' | 292 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' |
| 293 | ############################################################################### | 293 | ############################################################################### |
| 294 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") | 294 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") |
| 295 | #·FIX·FOR·THIS·RULE·IS·MISSING | 295 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 296 | #·END·fix·for·'httpd_server_activity_status' | 296 | #·END·fix·for·'httpd_server_activity_status' |
| Offset 301, 19 lines modified | Offset 301, 19 lines modified | ||
| 301 | #·BEGIN·fix·(19·/·313)·for·'httpd_server_configuration_display' | 301 | #·BEGIN·fix·(19·/·313)·for·'httpd_server_configuration_display' |
| 302 | ############################################################################### | 302 | ############################################################################### |
| 303 | (>&2·echo·"Remediating·rule·19/313:·'httpd_server_configuration_display'") | 303 | (>&2·echo·"Remediating·rule·19/313:·'httpd_server_configuration_display'") |
| 304 | #·FIX·FOR·THIS·RULE·IS·MISSING | 304 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 305 | #·END·fix·for·'httpd_server_configuration_display' | 305 | #·END·fix·for·'httpd_server_configuration_display' |
| 306 | ############################################################################### | 306 | ############################################################################### |
| 307 | #·BEGIN·fix·(20·/·313)·for·'httpd_ | 307 | #·BEGIN·fix·(20·/·313)·for·'httpd_url_correction' |
| 308 | ############################################################################### | 308 | ############################################################################### |
| 309 | (>&2·echo·"Remediating·rule·20/313:·'httpd_ | 309 | (>&2·echo·"Remediating·rule·20/313:·'httpd_url_correction'") |
| 310 | #·FIX·FOR·THIS·RULE·IS·MISSING | 310 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 311 | #·END·fix·for·'httpd_ | 311 | #·END·fix·for·'httpd_url_correction' |
| 312 | ############################################################################### | 312 | ############################################################################### |
| 313 | #·BEGIN·fix·(21·/·313)·for·'httpd_mime_magic' | 313 | #·BEGIN·fix·(21·/·313)·for·'httpd_mime_magic' |
| 314 | ############################################################################### | 314 | ############################################################################### |
| 315 | (>&2·echo·"Remediating·rule·21/313:·'httpd_mime_magic'") | 315 | (>&2·echo·"Remediating·rule·21/313:·'httpd_mime_magic'") |
| 316 | #·FIX·FOR·THIS·RULE·IS·MISSING | 316 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 317 | #·END·fix·for·'httpd_mime_magic' | 317 | #·END·fix·for·'httpd_mime_magic' |
| Offset 350, 59 lines modified | Offset 350, 17 lines modified | ||
| 350 | #·BEGIN·fix·(26·/·313)·for·'httpd_proxy_support' | 350 | #·BEGIN·fix·(26·/·313)·for·'httpd_proxy_support' |
| 351 | ############################################################################### | 351 | ############################################################################### |
| 352 | (>&2·echo·"Remediating·rule·26/313:·'httpd_proxy_support'") | 352 | (>&2·echo·"Remediating·rule·26/313:·'httpd_proxy_support'") |
| 353 | #·FIX·FOR·THIS·RULE·IS·MISSING | 353 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 354 | #·END·fix·for·'httpd_proxy_support' | 354 | #·END·fix·for·'httpd_proxy_support' |
| 355 | ############################################################################### | 355 | ############################################################################### |
| 356 | #·BEGIN·fix·(27·/·313)·for·'s | 356 | #·BEGIN·fix·(27·/·313)·for·'service_ntpd_enabled' |
| 357 | ############################################################################### | ||
| 358 | (>&2·echo·"Remediating·rule·27/313:·'sysconfig_networking_bootproto_ifcfg'") | ||
| 359 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 360 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 361 | ############################################################################### | ||
| 362 | #·BEGIN·fix·(28·/·313)·for·'dhcp_server_deny_decline' | ||
| 363 | ############################################################################### | ||
| 364 | (>&2·echo·"Remediating·rule·28/313:·'dhcp_server_deny_decline'") | ||
| 365 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 366 | #·END·fix·for·'dhcp_server_deny_decline' | ||
| 367 | ############################################################################### | ||
| 368 | #·BEGIN·fix·(29·/·313)·for·'dhcp_server_disable_ddns' | ||
| 369 | ############################################################################### | ||
| 370 | (>&2·echo·"Remediating·rule·29/313:·'dhcp_server_disable_ddns'") | ||
| 371 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 372 | #·END·fix·for·'dhcp_server_disable_ddns' | ||
| 373 | ############################################################################### | ||
| 374 | #·BEGIN·fix·(30·/·313)·for·'dhcp_server_minimize_served_info' | ||
| 375 | ############################################################################### | ||
| 376 | (>&2·echo·"Remediating·rule·30/313:·'dhcp_server_minimize_served_info'") | ||
| 377 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 378 | #·END·fix·for·'dhcp_server_minimize_served_info' | ||
| 379 | ############################################################################### | ||
| 380 | #·BEGIN·fix·(31·/·313)·for·'dhcp_server_deny_bootp' | ||
| 381 | ############################################################################### | ||
| 382 | (>&2·echo·"Remediating·rule·31/313:·'dhcp_server_deny_bootp'") | ||
| 383 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 384 | #·END·fix·for·'dhcp_server_deny_bootp' | ||
| 385 | ############################################################################### | ||
| 386 | #·BEGIN·fix·(32·/·313)·for·'dhcp_server_configure_logging' | ||
| 387 | ############################################################################### | ||
| 388 | (>&2·echo·"Remediating·rule·32/313:·'dhcp_server_configure_logging'") | ||
| 389 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 390 | #·END·fix·for·'dhcp_server_configure_logging' | ||
| 391 | ############################################################################### | ||
| 392 | #·BEGIN·fix·(33·/·313)·for·'service_ntpd_enabled' | ||
| 393 | ############################################################################### | 357 | ############################################################################### |
| 394 | (>&2·echo·"Remediating·rule· | 358 | (>&2·echo·"Remediating·rule·27/313:·'service_ntpd_enabled'") |
| 395 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 359 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 396 | # | 360 | # |
| 397 | #·Example·Call(s): | 361 | #·Example·Call(s): |
| 398 | # | 362 | # |
| 399 | #·····service_command·enable·bluetooth | 363 | #·····service_command·enable·bluetooth |
| 400 | #·····service_command·disable·bluetooth.service | 364 | #·····service_command·disable·bluetooth.service |
| 401 | # | 365 | # |
| Offset 474, 31 lines modified | Offset 432, 31 lines modified | ||
| Max diff block lines reached; 653403/660390 bytes (98.94%) of diff not shown. | |||
| Offset 171, 171 lines modified | Offset 171, 17 lines modified | ||
| 171 | #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd' | 171 | #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd' |
| 172 | ############################################################################### | 172 | ############################################################################### |
| 173 | (>&2·echo·"Remediating·rule·5/215:·'dir_perms_var_log_httpd'") | 173 | (>&2·echo·"Remediating·rule·5/215:·'dir_perms_var_log_httpd'") |
| 174 | #·FIX·FOR·THIS·RULE·IS·MISSING | 174 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 175 | #·END·fix·for·'dir_perms_var_log_httpd' | 175 | #·END·fix·for·'dir_perms_var_log_httpd' |
| 176 | ############################################################################### | 176 | ############################################################################### |
| 177 | #·BEGIN·fix·(6·/·215)·for·'s | 177 | #·BEGIN·fix·(6·/·215)·for·'service_ntpd_enabled' |
| 178 | ############################################################################### | 178 | ############################################################################### |
| 179 | (>&2·echo·"Remediating·rule·6/215:·'s | 179 | (>&2·echo·"Remediating·rule·6/215:·'service_ntpd_enabled'") |
| 180 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 181 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 182 | ############################################################################### | ||
| 183 | #·BEGIN·fix·(7·/·215)·for·'dhcp_server_deny_decline' | ||
| 184 | ############################################################################### | ||
| 185 | (>&2·echo·"Remediating·rule·7/215:·'dhcp_server_deny_decline'") | ||
| 186 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 187 | #·END·fix·for·'dhcp_server_deny_decline' | ||
| 188 | ############################################################################### | ||
| 189 | #·BEGIN·fix·(8·/·215)·for·'dhcp_server_disable_ddns' | ||
| 190 | ############################################################################### | ||
| 191 | (>&2·echo·"Remediating·rule·8/215:·'dhcp_server_disable_ddns'") | ||
| 192 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 193 | #·END·fix·for·'dhcp_server_disable_ddns' | ||
| 194 | ############################################################################### | ||
| 195 | #·BEGIN·fix·(9·/·215)·for·'dhcp_server_deny_bootp' | ||
| 196 | ############################################################################### | ||
| 197 | (>&2·echo·"Remediating·rule·9/215:·'dhcp_server_deny_bootp'") | ||
| 198 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 199 | #·END·fix·for·'dhcp_server_deny_bootp' | ||
| 200 | ############################################################################### | ||
| 201 | #·BEGIN·fix·(10·/·215)·for·'package_dhcp_removed' | ||
| 202 | ############################################################################### | ||
| 203 | (>&2·echo·"Remediating·rule·10/215:·'package_dhcp_removed'") | ||
| 204 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 205 | # | ||
| 206 | #·Example·Call(s): | ||
| 207 | # | ||
| 208 | #·····package_remove·telnet-server | ||
| 209 | # | ||
| 210 | function·package_remove·{ | ||
| 211 | #·Load·function·arguments·into·local·variables | ||
| 212 | local·package="$1" | ||
| 213 | #·Check·sanity·of·the·input | ||
| 214 | if·[·$#·-ne·"1"·] | ||
| 215 | then | ||
| 216 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 217 | ··echo·"Aborting." | ||
| 218 | ··exit·1 | ||
| 219 | fi | ||
| 220 | if·which·dnf·;·then | ||
| 221 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 222 | ····dnf·remove·-y·"$package" | ||
| 223 | ··fi | ||
| 224 | elif·which·yum·;·then | ||
| 225 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 226 | ····yum·remove·-y·"$package" | ||
| 227 | ··fi | ||
| 228 | elif·which·apt-get·;·then | ||
| 229 | ··apt-get·remove·-y·"$package" | ||
| 230 | else | ||
| 231 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 232 | ··echo·"Aborting." | ||
| 233 | ··exit·1 | ||
| 234 | fi | ||
| 235 | } | ||
| 236 | package_remove·dhcp | ||
| 237 | #·END·fix·for·'package_dhcp_removed' | ||
| 238 | ############################################################################### | ||
| 239 | #·BEGIN·fix·(11·/·215)·for·'service_dhcpd_disabled' | ||
| 240 | ############################################################################### | ||
| 241 | (>&2·echo·"Remediating·rule·11/215:·'service_dhcpd_disabled'") | ||
| 242 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 243 | # | ||
| 244 | #·Example·Call(s): | ||
| 245 | # | ||
| 246 | #·····service_command·enable·bluetooth | ||
| 247 | #·····service_command·disable·bluetooth.service | ||
| 248 | # | ||
| 249 | #·····Using·xinetd: | ||
| 250 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 251 | # | ||
| 252 | function·service_command·{ | ||
| 253 | #·Load·function·arguments·into·local·variables | ||
| 254 | local·service_state=$1 | ||
| 255 | local·service=$2 | ||
| 256 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 257 | #·Check·sanity·of·the·input | ||
| 258 | if·[·$#·-lt·"2"·] | ||
| 259 | then | ||
| 260 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 261 | ··echo | ||
| 262 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 263 | ··echo·"as·the·last·argument"·· | ||
| 264 | ··echo·"Aborting." | ||
| 265 | ··exit·1 | ||
| 266 | fi | ||
| 267 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 268 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 269 | ··service_util="/usr/bin/systemctl" | ||
| 270 | else | ||
| 271 | ··service_util="/sbin/service" | ||
| 272 | ··chkconfig_util="/sbin/chkconfig" | ||
| 273 | fi | ||
| 274 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 275 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 276 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 277 | ··service_state="enable" | ||
| 278 | ··service_operation="start" | ||
| 279 | ··chkconfig_state="on" | ||
| 280 | else | ||
| 281 | ··service_state="disable" | ||
| 282 | ··service_operation="stop" | ||
| Max diff block lines reached; 399972/405921 bytes (98.53%) of diff not shown. | |||
| Offset 271, 143 lines modified | Offset 271, 17 lines modified | ||
| 271 | } | 271 | } |
| 272 | package_remove·httpd | 272 | package_remove·httpd |
| 273 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 274 | ############################################################################### | 274 | ############################################################################### |
| 275 | #·BEGIN·fix·(5·/·206)·for·' | 275 | #·BEGIN·fix·(5·/·206)·for·'service_ntpd_enabled' |
| 276 | ############################################################################### | 276 | ############################################################################### |
| 277 | (>&2·echo·"Remediating·rule·5/206:·' | 277 | (>&2·echo·"Remediating·rule·5/206:·'service_ntpd_enabled'") |
| 278 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 279 | # | ||
| 280 | #·Example·Call(s): | ||
| 281 | # | ||
| 282 | #·····package_remove·telnet-server | ||
| 283 | # | ||
| 284 | function·package_remove·{ | ||
| 285 | #·Load·function·arguments·into·local·variables | ||
| 286 | local·package="$1" | ||
| 287 | #·Check·sanity·of·the·input | ||
| 288 | if·[·$#·-ne·"1"·] | ||
| 289 | then | ||
| 290 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 291 | ··echo·"Aborting." | ||
| 292 | ··exit·1 | ||
| 293 | fi | ||
| 294 | if·which·dnf·;·then | ||
| 295 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 296 | ····dnf·remove·-y·"$package" | ||
| 297 | ··fi | ||
| 298 | elif·which·yum·;·then | ||
| 299 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 300 | ····yum·remove·-y·"$package" | ||
| 301 | ··fi | ||
| 302 | elif·which·apt-get·;·then | ||
| 303 | ··apt-get·remove·-y·"$package" | ||
| 304 | else | ||
| 305 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 306 | ··echo·"Aborting." | ||
| 307 | ··exit·1 | ||
| 308 | fi | ||
| 309 | } | ||
| 310 | package_remove·dhcp | ||
| 311 | #·END·fix·for·'package_dhcp_removed' | ||
| 312 | ############################################################################### | ||
| 313 | #·BEGIN·fix·(6·/·206)·for·'service_dhcpd_disabled' | ||
| 314 | ############################################################################### | ||
| 315 | (>&2·echo·"Remediating·rule·6/206:·'service_dhcpd_disabled'") | ||
| 316 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 317 | # | ||
| 318 | #·Example·Call(s): | ||
| 319 | # | ||
| 320 | #·····service_command·enable·bluetooth | ||
| 321 | #·····service_command·disable·bluetooth.service | ||
| 322 | # | ||
| 323 | #·····Using·xinetd: | ||
| 324 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 325 | # | ||
| 326 | function·service_command·{ | ||
| 327 | #·Load·function·arguments·into·local·variables | ||
| 328 | local·service_state=$1 | ||
| 329 | local·service=$2 | ||
| 330 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 331 | #·Check·sanity·of·the·input | ||
| 332 | if·[·$#·-lt·"2"·] | ||
| 333 | then | ||
| 334 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 335 | ··echo | ||
| 336 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 337 | ··echo·"as·the·last·argument"·· | ||
| 338 | ··echo·"Aborting." | ||
| 339 | ··exit·1 | ||
| 340 | fi | ||
| 341 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 342 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 343 | ··service_util="/usr/bin/systemctl" | ||
| 344 | else | ||
| 345 | ··service_util="/sbin/service" | ||
| 346 | ··chkconfig_util="/sbin/chkconfig" | ||
| 347 | fi | ||
| 348 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 349 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 350 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 351 | ··service_state="enable" | ||
| 352 | ··service_operation="start" | ||
| 353 | ··chkconfig_state="on" | ||
| 354 | else | ||
| 355 | ··service_state="disable" | ||
| 356 | ··service_operation="stop" | ||
| 357 | ··chkconfig_state="off" | ||
| 358 | fi | ||
| 359 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 360 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 361 | ··$service_util·$service·$service_operation | ||
| 362 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 363 | else | ||
| 364 | ··$service_util·$service_operation·$service | ||
| 365 | ··$service_util·$service_state·$service | ||
| 366 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 367 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 368 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 369 | ··$service_util·reset-failed·$service | ||
| 370 | fi | ||
| 371 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 372 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 373 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 374 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 375 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 376 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 377 | ··else | ||
| 378 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 379 | ··fi | ||
| 380 | fi | ||
| Max diff block lines reached; 476334/480616 bytes (99.11%) of diff not shown. | |||
| Offset 100, 195 lines modified | Offset 100, 31 lines modified | ||
| 100 | } | 100 | } |
| 101 | service_command·enable·ntpd | 101 | service_command·enable·ntpd |
| 102 | #·END·fix·for·'service_ntpd_enabled' | 102 | #·END·fix·for·'service_ntpd_enabled' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | #·BEGIN·fix·(2·/·211)·for·'ntpd_specify_ | 104 | #·BEGIN·fix·(2·/·211)·for·'ntpd_specify_remote_server' |
| 105 | ############################################################################### | 105 | ############################################################################### |
| 106 | (>&2·echo·"Remediating·rule·2/211:·'ntpd_specify_ | 106 | (>&2·echo·"Remediating·rule·2/211:·'ntpd_specify_remote_server'") |
| 107 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 108 | #·END·fix·for·'ntpd_specify_multiple_servers' | ||
| 109 | ############################################################################### | ||
| 110 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server' | ||
| 111 | ############################################################################### | ||
| 112 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'") | ||
| 113 | #·FIX·FOR·THIS·RULE·IS·MISSING | 107 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 114 | #·END·fix·for·'ntpd_specify_remote_server' | 108 | #·END·fix·for·'ntpd_specify_remote_server' |
| 115 | ############################################################################### | 109 | ############################################################################### |
| 116 | #·BEGIN·fix·( | 110 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_multiple_servers' |
| 117 | ############################################################################### | ||
| 118 | (>&2·echo·"Remediating·rule·4/211:·'service_crond_enabled'") | ||
| 119 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 120 | # | ||
| 121 | #·Example·Call(s): | ||
| 122 | # | ||
| 123 | #·····service_command·enable·bluetooth | ||
| 124 | #·····service_command·disable·bluetooth.service | ||
| 125 | # | ||
| 126 | #·····Using·xinetd: | ||
| 127 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 128 | # | ||
| 129 | function·service_command·{ | ||
| 130 | #·Load·function·arguments·into·local·variables | ||
| 131 | local·service_state=$1 | ||
| 132 | local·service=$2 | ||
| 133 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 134 | #·Check·sanity·of·the·input | ||
| 135 | if·[·$#·-lt·"2"·] | ||
| 136 | then | ||
| 137 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 138 | ··echo | ||
| 139 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 140 | ··echo·"as·the·last·argument"·· | ||
| 141 | ··echo·"Aborting." | ||
| 142 | ··exit·1 | ||
| 143 | fi | ||
| 144 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 145 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 146 | ··service_util="/usr/bin/systemctl" | ||
| 147 | else | ||
| 148 | ··service_util="/sbin/service" | ||
| 149 | ··chkconfig_util="/sbin/chkconfig" | ||
| 150 | fi | ||
| 151 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 152 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 153 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 154 | ··service_state="enable" | ||
| 155 | ··service_operation="start" | ||
| 156 | ··chkconfig_state="on" | ||
| 157 | else | ||
| 158 | ··service_state="disable" | ||
| 159 | ··service_operation="stop" | ||
| 160 | ··chkconfig_state="off" | ||
| 161 | fi | ||
| 162 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 163 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 164 | ··$service_util·$service·$service_operation | ||
| 165 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 166 | else | ||
| 167 | ··$service_util·$service_operation·$service | ||
| 168 | ··$service_util·$service_state·$service | ||
| 169 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 170 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 171 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 172 | ··$service_util·reset-failed·$service | ||
| 173 | fi | ||
| 174 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 175 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 176 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 177 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 178 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 179 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 180 | ··else | ||
| 181 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 182 | ··fi | ||
| 183 | fi | ||
| 184 | } | ||
| 185 | service_command·enable·crond | ||
| 186 | #·END·fix·for·'service_crond_enabled' | ||
| 187 | ############################################################################### | ||
| 188 | #·BEGIN·fix·(5·/·211)·for·'service_atd_disabled' | ||
| 189 | ############################################################################### | 111 | ############################################################################### |
| 190 | (>&2·echo·"Remediating·rule· | 112 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_multiple_servers'") |
| 191 | #·F | 113 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 192 | # | 114 | #·END·fix·for·'ntpd_specify_multiple_servers' |
| 193 | #·Example·Call(s): | ||
| 194 | # | ||
| 195 | #·····service_command·enable·bluetooth | ||
| 196 | #·····service_command·disable·bluetooth.service | ||
| 197 | # | ||
| 198 | #·····Using·xinetd: | ||
| 199 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 200 | # | ||
| 201 | function·service_command·{ | ||
| 202 | #·Load·function·arguments·into·local·variables | ||
| 203 | local·service_state=$1 | ||
| 204 | local·service=$2 | ||
| 205 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 206 | #·Check·sanity·of·the·input | ||
| 207 | if·[·$#·-lt·"2"·] | ||
| 208 | then | ||
| 209 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| Max diff block lines reached; 434330/440729 bytes (98.55%) of diff not shown. | |||
| Offset 25, 40 lines modified | Offset 25, 40 lines modified | ||
| 25 | #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon' | 25 | #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'") | 27 | (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'") |
| 28 | #·FIX·FOR·THIS·RULE·IS·MISSING | 28 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 29 | #·END·fix·for·'ftp_restrict_to_anon' | 29 | #·END·fix·for·'ftp_restrict_to_anon' |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | #·BEGIN·fix·(2·/·192)·for·'ftp_ | 31 | #·BEGIN·fix·(2·/·192)·for·'ftp_present_banner' |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | (>&2·echo·"Remediating·rule·2/192:·'ftp_ | 33 | (>&2·echo·"Remediating·rule·2/192:·'ftp_present_banner'") |
| 34 | #·FIX·FOR·THIS·RULE·IS·MISSING | 34 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 35 | #·END·fix·for·'ftp_ | 35 | #·END·fix·for·'ftp_present_banner' |
| 36 | ############################################################################### | 36 | ############################################################################### |
| 37 | #·BEGIN·fix·(3·/·192)·for·'ftp_ | 37 | #·BEGIN·fix·(3·/·192)·for·'ftp_disable_uploads' |
| 38 | ############################################################################### | 38 | ############################################################################### |
| 39 | (>&2·echo·"Remediating·rule·3/192:·'ftp_ | 39 | (>&2·echo·"Remediating·rule·3/192:·'ftp_disable_uploads'") |
| 40 | #·FIX·FOR·THIS·RULE·IS·MISSING | 40 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 41 | #·END·fix·for·'ftp_ | 41 | #·END·fix·for·'ftp_disable_uploads' |
| 42 | ############################################################################### | 42 | ############################################################################### |
| 43 | #·BEGIN·fix·(4·/·192)·for·'ftp_ | 43 | #·BEGIN·fix·(4·/·192)·for·'ftp_home_partition' |
| 44 | ############################################################################### | 44 | ############################################################################### |
| 45 | (>&2·echo·"Remediating·rule·4/192:·'ftp_ | 45 | (>&2·echo·"Remediating·rule·4/192:·'ftp_home_partition'") |
| 46 | #·FIX·FOR·THIS·RULE·IS·MISSING | 46 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 47 | #·END·fix·for·'ftp_ | 47 | #·END·fix·for·'ftp_home_partition' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | #·BEGIN·fix·(5·/·192)·for·'ftp_ | 49 | #·BEGIN·fix·(5·/·192)·for·'ftp_log_transactions' |
| 50 | ############################################################################### | 50 | ############################################################################### |
| 51 | (>&2·echo·"Remediating·rule·5/192:·'ftp_ | 51 | (>&2·echo·"Remediating·rule·5/192:·'ftp_log_transactions'") |
| 52 | #·FIX·FOR·THIS·RULE·IS·MISSING | 52 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 53 | #·END·fix·for·'ftp_ | 53 | #·END·fix·for·'ftp_log_transactions' |
| 54 | ############################################################################### | 54 | ############################################################################### |
| 55 | #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed' | 55 | #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed' |
| 56 | ############################################################################### | 56 | ############################################################################### |
| 57 | (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'") | 57 | (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'") |
| 58 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 58 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 59 | # | 59 | # |
| Offset 97, 24 lines modified | Offset 97, 17 lines modified | ||
| 97 | } | 97 | } |
| 98 | package_install·vsftpd | 98 | package_install·vsftpd |
| 99 | #·END·fix·for·'package_vsftpd_installed' | 99 | #·END·fix·for·'package_vsftpd_installed' |
| 100 | ############################################################################### | 100 | ############################################################################### |
| 101 | #·BEGIN·fix·(7·/·192)·for·'s | 101 | #·BEGIN·fix·(7·/·192)·for·'service_ntpd_enabled' |
| 102 | ############################################################################### | 102 | ############################################################################### |
| 103 | (>&2·echo·"Remediating·rule·7/192:·'s | 103 | (>&2·echo·"Remediating·rule·7/192:·'service_ntpd_enabled'") |
| 104 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 105 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 106 | ############################################################################### | ||
| 107 | #·BEGIN·fix·(8·/·192)·for·'service_ntpd_enabled' | ||
| 108 | ############################################################################### | ||
| 109 | (>&2·echo·"Remediating·rule·8/192:·'service_ntpd_enabled'") | ||
| 110 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 104 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 111 | # | 105 | # |
| 112 | #·Example·Call(s): | 106 | #·Example·Call(s): |
| 113 | # | 107 | # |
| 114 | #·····service_command·enable·bluetooth | 108 | #·····service_command·enable·bluetooth |
| 115 | #·····service_command·disable·bluetooth.service | 109 | #·····service_command·disable·bluetooth.service |
| 116 | # | 110 | # |
| Offset 186, 260 lines modified | Offset 179, 45 lines modified | ||
| 186 | } | 179 | } |
| 187 | service_command·enable·ntpd | 180 | service_command·enable·ntpd |
| 188 | #·END·fix·for·'service_ntpd_enabled' | 181 | #·END·fix·for·'service_ntpd_enabled' |
| 189 | ############################################################################### | 182 | ############################################################################### |
| 190 | #·BEGIN·fix·( | 183 | #·BEGIN·fix·(8·/·192)·for·'ntpd_specify_remote_server' |
| 191 | ############################################################################### | 184 | ############################################################################### |
| 192 | (>&2·echo·"Remediating·rule· | 185 | (>&2·echo·"Remediating·rule·8/192:·'ntpd_specify_remote_server'") |
| 193 | #·FIX·FOR·THIS·RULE·IS·MISSING | 186 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 194 | #·END·fix·for·'ntpd_specify_remote_server' | 187 | #·END·fix·for·'ntpd_specify_remote_server' |
| 195 | ############################################################################### | 188 | ############################################################################### |
| 196 | #·BEGIN·fix·( | 189 | #·BEGIN·fix·(9·/·192)·for·'service_rlogin_disabled' |
| 197 | ############################################################################### | ||
| 198 | (>&2·echo·"Remediating·rule·10/192:·'service_crond_enabled'") | ||
| 199 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 200 | # | ||
| 201 | #·Example·Call(s): | ||
| 202 | # | ||
| 203 | #·····service_command·enable·bluetooth | ||
| 204 | #·····service_command·disable·bluetooth.service | ||
| 205 | # | ||
| 206 | #·····Using·xinetd: | ||
| 207 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 208 | # | ||
| 209 | function·service_command·{ | ||
| 210 | #·Load·function·arguments·into·local·variables | ||
| 211 | local·service_state=$1 | ||
| 212 | local·service=$2 | ||
| 213 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 214 | #·Check·sanity·of·the·input | ||
| 215 | if·[·$#·-lt·"2"·] | ||
| 216 | then | ||
| 217 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 218 | ··echo | ||
| 219 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 220 | ··echo·"as·the·last·argument"·· | ||
| 221 | ··echo·"Aborting." | ||
| 222 | ··exit·1 | ||
| 223 | fi | ||
| 224 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 225 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 226 | ··service_util="/usr/bin/systemctl" | ||
| 227 | else | ||
| 228 | ··service_util="/sbin/service" | ||
| 229 | ··chkconfig_util="/sbin/chkconfig" | ||
| 230 | fi | ||
| 231 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 232 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 233 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 234 | ··service_state="enable" | ||
| 235 | ··service_operation="start" | ||
| 236 | ··chkconfig_state="on" | ||
| 237 | else | ||
| 238 | ··service_state="disable" | ||
| Max diff block lines reached; 435638/446937 bytes (97.47%) of diff not shown. | |||
| Offset 192, 150 lines modified | Offset 192, 17 lines modified | ||
| 192 | } | 192 | } |
| 193 | package_remove·httpd | 193 | package_remove·httpd |
| 194 | #·END·fix·for·'package_httpd_removed' | 194 | #·END·fix·for·'package_httpd_removed' |
| 195 | ############################################################################### | 195 | ############################################################################### |
| 196 | #·BEGIN·fix·(4·/·270)·for·'s | 196 | #·BEGIN·fix·(4·/·270)·for·'service_ntpd_enabled' |
| 197 | ############################################################################### | 197 | ############################################################################### |
| 198 | (>&2·echo·"Remediating·rule·4/270:·'s | 198 | (>&2·echo·"Remediating·rule·4/270:·'service_ntpd_enabled'") |
| 199 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 200 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 201 | ############################################################################### | ||
| 202 | #·BEGIN·fix·(5·/·270)·for·'package_dhcp_removed' | ||
| 203 | ############################################################################### | ||
| 204 | (>&2·echo·"Remediating·rule·5/270:·'package_dhcp_removed'") | ||
| 205 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 206 | # | ||
| 207 | #·Example·Call(s): | ||
| 208 | # | ||
| 209 | #·····package_remove·telnet-server | ||
| 210 | # | ||
| 211 | function·package_remove·{ | ||
| 212 | #·Load·function·arguments·into·local·variables | ||
| 213 | local·package="$1" | ||
| 214 | #·Check·sanity·of·the·input | ||
| 215 | if·[·$#·-ne·"1"·] | ||
| 216 | then | ||
| 217 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 218 | ··echo·"Aborting." | ||
| 219 | ··exit·1 | ||
| 220 | fi | ||
| 221 | if·which·dnf·;·then | ||
| 222 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 223 | ····dnf·remove·-y·"$package" | ||
| 224 | ··fi | ||
| 225 | elif·which·yum·;·then | ||
| 226 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 227 | ····yum·remove·-y·"$package" | ||
| 228 | ··fi | ||
| 229 | elif·which·apt-get·;·then | ||
| 230 | ··apt-get·remove·-y·"$package" | ||
| 231 | else | ||
| 232 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 233 | ··echo·"Aborting." | ||
| 234 | ··exit·1 | ||
| 235 | fi | ||
| 236 | } | ||
| 237 | package_remove·dhcp | ||
| 238 | #·END·fix·for·'package_dhcp_removed' | ||
| 239 | ############################################################################### | ||
| 240 | #·BEGIN·fix·(6·/·270)·for·'service_dhcpd_disabled' | ||
| 241 | ############################################################################### | ||
| 242 | (>&2·echo·"Remediating·rule·6/270:·'service_dhcpd_disabled'") | ||
| 243 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 244 | # | ||
| 245 | #·Example·Call(s): | ||
| 246 | # | ||
| 247 | #·····service_command·enable·bluetooth | ||
| 248 | #·····service_command·disable·bluetooth.service | ||
| 249 | # | ||
| 250 | #·····Using·xinetd: | ||
| 251 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 252 | # | ||
| 253 | function·service_command·{ | ||
| 254 | #·Load·function·arguments·into·local·variables | ||
| 255 | local·service_state=$1 | ||
| 256 | local·service=$2 | ||
| 257 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 258 | #·Check·sanity·of·the·input | ||
| 259 | if·[·$#·-lt·"2"·] | ||
| 260 | then | ||
| 261 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 262 | ··echo | ||
| 263 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 264 | ··echo·"as·the·last·argument"·· | ||
| 265 | ··echo·"Aborting." | ||
| 266 | ··exit·1 | ||
| 267 | fi | ||
| 268 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 269 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 270 | ··service_util="/usr/bin/systemctl" | ||
| 271 | else | ||
| 272 | ··service_util="/sbin/service" | ||
| 273 | ··chkconfig_util="/sbin/chkconfig" | ||
| 274 | fi | ||
| 275 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 276 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 277 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 278 | ··service_state="enable" | ||
| 279 | ··service_operation="start" | ||
| 280 | ··chkconfig_state="on" | ||
| 281 | else | ||
| 282 | ··service_state="disable" | ||
| 283 | ··service_operation="stop" | ||
| 284 | ··chkconfig_state="off" | ||
| 285 | fi | ||
| 286 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 287 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 288 | ··$service_util·$service·$service_operation | ||
| 289 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 290 | else | ||
| 291 | ··$service_util·$service_operation·$service | ||
| 292 | ··$service_util·$service_state·$service | ||
| 293 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 294 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 295 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 296 | ··$service_util·reset-failed·$service | ||
| 297 | fi | ||
| 298 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 299 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 300 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 301 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| Max diff block lines reached; 641174/645849 bytes (99.28%) of diff not shown. | |||
| Offset 100, 26 lines modified | Offset 100, 26 lines modified | ||
| 100 | } | 100 | } |
| 101 | service_command·enable·ntpd | 101 | service_command·enable·ntpd |
| 102 | #·END·fix·for·'service_ntpd_enabled' | 102 | #·END·fix·for·'service_ntpd_enabled' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | #·BEGIN·fix·(2·/·94)·for·'ntpd_specify_ | 104 | #·BEGIN·fix·(2·/·94)·for·'ntpd_specify_remote_server' |
| 105 | ############################################################################### | 105 | ############################################################################### |
| 106 | (>&2·echo·"Remediating·rule·2/94:·'ntpd_specify_ | 106 | (>&2·echo·"Remediating·rule·2/94:·'ntpd_specify_remote_server'") |
| 107 | #·FIX·FOR·THIS·RULE·IS·MISSING | 107 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 108 | #·END·fix·for·'ntpd_specify_ | 108 | #·END·fix·for·'ntpd_specify_remote_server' |
| 109 | ############################################################################### | 109 | ############################################################################### |
| 110 | #·BEGIN·fix·(3·/·94)·for·'ntpd_specify_ | 110 | #·BEGIN·fix·(3·/·94)·for·'ntpd_specify_multiple_servers' |
| 111 | ############################################################################### | 111 | ############################################################################### |
| 112 | (>&2·echo·"Remediating·rule·3/94:·'ntpd_specify_ | 112 | (>&2·echo·"Remediating·rule·3/94:·'ntpd_specify_multiple_servers'") |
| 113 | #·FIX·FOR·THIS·RULE·IS·MISSING | 113 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 114 | #·END·fix·for·'ntpd_specify_ | 114 | #·END·fix·for·'ntpd_specify_multiple_servers' |
| 115 | ############################################################################### | 115 | ############################################################################### |
| 116 | #·BEGIN·fix·(4·/·94)·for·'sshd_set_idle_timeout' | 116 | #·BEGIN·fix·(4·/·94)·for·'sshd_set_idle_timeout' |
| 117 | ############################################################################### | 117 | ############################################################################### |
| 118 | (>&2·echo·"Remediating·rule·4/94:·'sshd_set_idle_timeout'") | 118 | (>&2·echo·"Remediating·rule·4/94:·'sshd_set_idle_timeout'") |
| 119 | sshd_idle_timeout_value="900" | 119 | sshd_idle_timeout_value="900" |
| Offset 128, 1110 lines modified | Offset 128, 61 lines modified | ||
| 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config | 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config |
| 129 | if·!·[·$?·-eq·0·];·then | 129 | if·!·[·$?·-eq·0·];·then |
| 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config | 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config |
| 131 | fi | 131 | fi |
| 132 | #·END·fix·for·'sshd_set_idle_timeout' | 132 | #·END·fix·for·'sshd_set_idle_timeout' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | #·BEGIN·fix·(5·/·94)·for·'i | 134 | #·BEGIN·fix·(5·/·94)·for·'auditd_audispd_syslog_plugin_activated' |
| 135 | ############################################################################### | ||
| 136 | (>&2·echo·"Remediating·rule·5/94:·'install_hids'") | ||
| 137 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 138 | #·END·fix·for·'install_hids' | ||
| 139 | ############################################################################### | ||
| 140 | #·BEGIN·fix·(6·/·94)·for·'rpm_verify_permissions' | ||
| 141 | ############################################################################### | ||
| 142 | (>&2·echo·"Remediating·rule·6/94:·'rpm_verify_permissions'") | ||
| 143 | #·Declare·array·to·hold·list·of·RPM·packages·we·need·to·correct·permissions·for | ||
| 144 | declare·-a·SETPERMS_RPM_LIST | ||
| 145 | #·Create·a·list·of·files·on·the·system·having·permissions·different·from·what | ||
| 146 | #·is·expected·by·the·RPM·database | ||
| 147 | FILES_WITH_INCORRECT_PERMS=($(rpm·-Va·--nofiledigest·|·grep·'^.M'·|·cut·-d·'·'·-f4-)) | ||
| 148 | #·For·each·file·path·from·that·list: | ||
| 149 | #·*·Determine·the·RPM·package·the·file·path·is·shipped·by, | ||
| 150 | #·*·Include·it·into·SETPERMS_RPM_LIST·array | ||
| 151 | for·FILE_PATH·in·"${FILES_WITH_INCORRECT_PERMS[@]}" | ||
| 152 | do | ||
| 153 | » RPM_PACKAGE=$(rpm·-qf·"$FILE_PATH") | ||
| 154 | » SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}"·"$RPM_PACKAGE") | ||
| 155 | done | ||
| 156 | #·Remove·duplicate·mention·of·same·RPM·in·$SETPERMS_RPM_LIST·(if·any) | ||
| 157 | SETPERMS_RPM_LIST=(·$(echo·"${SETPERMS_RPM_LIST[@]}"·|·tr·'·'·'\n'·|·sort·-u·|·tr·'\n'·'·')·) | ||
| 158 | #·For·each·of·the·RPM·packages·left·in·the·list·--·reset·its·permissions·to·the | ||
| 159 | #·correct·values | ||
| 160 | for·RPM_PACKAGE·in·"${SETPERMS_RPM_LIST[@]}" | ||
| 161 | do | ||
| 162 | » rpm·--setperms·"${RPM_PACKAGE}" | ||
| 163 | done | ||
| 164 | #·END·fix·for·'rpm_verify_permissions' | ||
| 165 | ############################################################################### | ||
| 166 | #·BEGIN·fix·(7·/·94)·for·'rpm_verify_hashes' | ||
| 167 | ############################################################################### | ||
| 168 | (>&2·echo·"Remediating·rule·7/94:·'rpm_verify_hashes'") | ||
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 170 | #·END·fix·for·'rpm_verify_hashes' | ||
| 171 | ############################################################################### | ||
| 172 | #·BEGIN·fix·(8·/·94)·for·'package_aide_installed' | ||
| 173 | ############################################################################### | ||
| 174 | (>&2·echo·"Remediating·rule·8/94:·'package_aide_installed'") | ||
| 175 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 176 | # | ||
| 177 | #·Example·Call(s): | ||
| 178 | # | ||
| 179 | #·····package_install·aide | ||
| 180 | # | ||
| 181 | function·package_install·{ | ||
| 182 | #·Load·function·arguments·into·local·variables | ||
| 183 | local·package="$1" | ||
| 184 | #·Check·sanity·of·the·input | ||
| 185 | if·[·$#·-ne·"1"·] | ||
| 186 | then | ||
| 187 | ··echo·"Usage:·package_install·'package_name'" | ||
| 188 | ··echo·"Aborting." | ||
| 189 | ··exit·1 | ||
| 190 | fi | ||
| 191 | if·which·dnf·;·then | ||
| 192 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 193 | ····dnf·install·-y·"$package" | ||
| 194 | ··fi | ||
| 195 | elif·which·yum·;·then | ||
| 196 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 197 | ····yum·install·-y·"$package" | ||
| 198 | ··fi | ||
| 199 | elif·which·apt-get·;·then | ||
| 200 | ··apt-get·install·-y·"$package" | ||
| 201 | else | ||
| 202 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 203 | ··echo·"Aborting." | ||
| 204 | ··exit·1 | ||
| 205 | fi | ||
| 206 | } | ||
| 207 | package_install·aide | ||
| 208 | #·END·fix·for·'package_aide_installed' | ||
| 209 | ############################################################################### | ||
| 210 | #·BEGIN·fix·(9·/·94)·for·'aide_periodic_cron_checking' | ||
| 211 | ############################################################################### | ||
| Max diff block lines reached; 178241/199543 bytes (89.32%) of diff not shown. | |||
| Offset 18, 120 lines modified | Offset 18, 38 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·94)·for·'service_ | 24 | #·BEGIN·fix·(1·/·94)·for·'service_rlogin_disabled' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/94:·'service_ | 26 | (>&2·echo·"Remediating·rule·1/94:·'service_rlogin_disabled'") |
| 27 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 28 | # | ||
| 29 | #·Example·Call(s): | ||
| 30 | # | ||
| 31 | #·····service_command·enable·bluetooth | ||
| 32 | #·····service_command·disable·bluetooth.service | ||
| 33 | # | ||
| 34 | #·····Using·xinetd: | ||
| 35 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 36 | # | ||
| 37 | function·service_command·{ | ||
| 38 | #·Load·function·arguments·into·local·variables | ||
| 39 | local·service_state=$1 | ||
| 40 | local·service=$2 | ||
| 41 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 42 | #·Check·sanity·of·the·input | ||
| 43 | if·[·$#·-lt·"2"·] | ||
| 44 | then | ||
| 45 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 46 | ··echo | ||
| 47 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 48 | ··echo·"as·the·last·argument"·· | ||
| 49 | ··echo·"Aborting." | ||
| 50 | ··exit·1 | ||
| 51 | fi | ||
| 52 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 53 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 54 | ··service_util="/usr/bin/systemctl" | ||
| 55 | else | ||
| 56 | ··service_util="/sbin/service" | ||
| 57 | ··chkconfig_util="/sbin/chkconfig" | ||
| 58 | fi | ||
| 59 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 60 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 61 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 62 | ··service_state="enable" | ||
| 63 | ··service_operation="start" | ||
| 64 | ··chkconfig_state="on" | ||
| 65 | else | ||
| 66 | ··service_state="disable" | ||
| 67 | ··service_operation="stop" | ||
| 68 | ··chkconfig_state="off" | ||
| 69 | fi | ||
| 70 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 71 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 72 | ··$service_util·$service·$service_operation | ||
| 73 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 74 | else | ||
| 75 | ··$service_util·$service_operation·$service | ||
| 76 | ··$service_util·$service_state·$service | ||
| 77 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 78 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 79 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 80 | ··$service_util·reset-failed·$service | ||
| 81 | fi | ||
| 82 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 83 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 84 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 85 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 86 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 87 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 88 | ··else | ||
| 89 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 90 | ··fi | ||
| 91 | fi | ||
| 92 | } | ||
| 93 | service_command·disable·atd | ||
| 94 | #·END·fix·for·'service_atd_disabled' | ||
| 95 | ############################################################################### | ||
| 96 | #·BEGIN·fix·(2·/·94)·for·'service_rlogin_disabled' | ||
| 97 | ############################################################################### | ||
| 98 | (>&2·echo·"Remediating·rule·2/94:·'service_rlogin_disabled'") | ||
| 99 | #·FIX·FOR·THIS·RULE·IS·MISSING | 27 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 100 | #·END·fix·for·'service_rlogin_disabled' | 28 | #·END·fix·for·'service_rlogin_disabled' |
| 101 | ############################################################################### | 29 | ############################################################################### |
| 102 | #·BEGIN·fix·( | 30 | #·BEGIN·fix·(2·/·94)·for·'service_rexec_disabled' |
| 103 | ############################################################################### | 31 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule· | 32 | (>&2·echo·"Remediating·rule·2/94:·'service_rexec_disabled'") |
| 105 | #·FIX·FOR·THIS·RULE·IS·MISSING | 33 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 106 | #·END·fix·for·'service_rexec_disabled' | 34 | #·END·fix·for·'service_rexec_disabled' |
| 107 | ############################################################################### | 35 | ############################################################################### |
| 108 | #·BEGIN·fix·( | 36 | #·BEGIN·fix·(3·/·94)·for·'service_rsh_disabled' |
| 109 | ############################################################################### | 37 | ############################################################################### |
| 110 | (>&2·echo·"Remediating·rule· | 38 | (>&2·echo·"Remediating·rule·3/94:·'service_rsh_disabled'") |
| 111 | #·FIX·FOR·THIS·RULE·IS·MISSING | 39 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 112 | #·END·fix·for·'service_rsh_disabled' | 40 | #·END·fix·for·'service_rsh_disabled' |
| 113 | ############################################################################### | 41 | ############################################################################### |
| 114 | #·BEGIN·fix·( | 42 | #·BEGIN·fix·(4·/·94)·for·'package_rsh-server_removed' |
| 115 | ############################################################################### | 43 | ############################################################################### |
| 116 | (>&2·echo·"Remediating·rule· | 44 | (>&2·echo·"Remediating·rule·4/94:·'package_rsh-server_removed'") |
| 117 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 45 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 118 | # | 46 | # |
| 119 | #·Example·Call(s): | 47 | #·Example·Call(s): |
| 120 | # | 48 | # |
| 121 | #·····package_remove·telnet-server | 49 | #·····package_remove·telnet-server |
| 122 | # | 50 | # |
| 123 | function·package_remove·{ | 51 | function·package_remove·{ |
| Offset 165, 17 lines modified | Offset 83, 17 lines modified | ||
| 165 | } | 83 | } |
| 166 | package_remove·rsh-server | 84 | package_remove·rsh-server |
| 167 | #·END·fix·for·'package_rsh-server_removed' | 85 | #·END·fix·for·'package_rsh-server_removed' |
| Max diff block lines reached; 82251/87188 bytes (94.34%) of diff not shown. | |||
| Offset 19, 24 lines modified | Offset 19, 17 lines modified | ||
| 19 | # | 19 | # |
| 20 | #·How·to·apply·this·remediation·role: | 20 | #·How·to·apply·this·remediation·role: |
| 21 | #·$·sudo·./remediation-role.sh | 21 | #·$·sudo·./remediation-role.sh |
| 22 | # | 22 | # |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | ############################################################################### | 24 | ############################################################################### |
| 25 | #·BEGIN·fix·(1·/·186)·for·'s | 25 | #·BEGIN·fix·(1·/·186)·for·'service_ntpd_enabled' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/186:·'s | 27 | (>&2·echo·"Remediating·rule·1/186:·'service_ntpd_enabled'") |
| 28 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 29 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 30 | ############################################################################### | ||
| 31 | #·BEGIN·fix·(2·/·186)·for·'service_ntpd_enabled' | ||
| 32 | ############################################################################### | ||
| 33 | (>&2·echo·"Remediating·rule·2/186:·'service_ntpd_enabled'") | ||
| 34 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 35 | # | 29 | # |
| 36 | #·Example·Call(s): | 30 | #·Example·Call(s): |
| 37 | # | 31 | # |
| 38 | #·····service_command·enable·bluetooth | 32 | #·····service_command·enable·bluetooth |
| 39 | #·····service_command·disable·bluetooth.service | 33 | #·····service_command·disable·bluetooth.service |
| 40 | # | 34 | # |
| Offset 108, 260 lines modified | Offset 101, 45 lines modified | ||
| 108 | } | 101 | } |
| 109 | service_command·enable·ntpd | 102 | service_command·enable·ntpd |
| 110 | #·END·fix·for·'service_ntpd_enabled' | 103 | #·END·fix·for·'service_ntpd_enabled' |
| 111 | ############################################################################### | 104 | ############################################################################### |
| 112 | #·BEGIN·fix·( | 105 | #·BEGIN·fix·(2·/·186)·for·'ntpd_specify_remote_server' |
| 113 | ############################################################################### | 106 | ############################################################################### |
| 114 | (>&2·echo·"Remediating·rule· | 107 | (>&2·echo·"Remediating·rule·2/186:·'ntpd_specify_remote_server'") |
| 115 | #·FIX·FOR·THIS·RULE·IS·MISSING | 108 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 116 | #·END·fix·for·'ntpd_specify_remote_server' | 109 | #·END·fix·for·'ntpd_specify_remote_server' |
| 117 | ############################################################################### | 110 | ############################################################################### |
| 118 | #·BEGIN·fix·( | 111 | #·BEGIN·fix·(3·/·186)·for·'service_rlogin_disabled' |
| 119 | ############################################################################### | ||
| 120 | (>&2·echo·"Remediating·rule·4/186:·'service_crond_enabled'") | ||
| 121 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 122 | # | ||
| 123 | #·Example·Call(s): | ||
| 124 | # | ||
| 125 | #·····service_command·enable·bluetooth | ||
| 126 | #·····service_command·disable·bluetooth.service | ||
| 127 | # | ||
| 128 | #·····Using·xinetd: | ||
| 129 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 130 | # | ||
| 131 | function·service_command·{ | ||
| 132 | #·Load·function·arguments·into·local·variables | ||
| 133 | local·service_state=$1 | ||
| 134 | local·service=$2 | ||
| 135 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 136 | #·Check·sanity·of·the·input | ||
| 137 | if·[·$#·-lt·"2"·] | ||
| 138 | then | ||
| 139 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 140 | ··echo | ||
| 141 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 142 | ··echo·"as·the·last·argument"·· | ||
| 143 | ··echo·"Aborting." | ||
| 144 | ··exit·1 | ||
| 145 | fi | ||
| 146 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 147 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 148 | ··service_util="/usr/bin/systemctl" | ||
| 149 | else | ||
| 150 | ··service_util="/sbin/service" | ||
| 151 | ··chkconfig_util="/sbin/chkconfig" | ||
| 152 | fi | ||
| 153 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 154 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 155 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 156 | ··service_state="enable" | ||
| 157 | ··service_operation="start" | ||
| 158 | ··chkconfig_state="on" | ||
| 159 | else | ||
| 160 | ··service_state="disable" | ||
| 161 | ··service_operation="stop" | ||
| 162 | ··chkconfig_state="off" | ||
| 163 | fi | ||
| 164 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 165 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 166 | ··$service_util·$service·$service_operation | ||
| 167 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 168 | else | ||
| 169 | ··$service_util·$service_operation·$service | ||
| 170 | ··$service_util·$service_state·$service | ||
| 171 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 172 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 173 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 174 | ··$service_util·reset-failed·$service | ||
| 175 | fi | ||
| 176 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 177 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 178 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 179 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 180 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 181 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 182 | ··else | ||
| 183 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 184 | ··fi | ||
| 185 | fi | ||
| 186 | } | ||
| 187 | service_command·enable·crond | ||
| 188 | #·END·fix·for·'service_crond_enabled' | ||
| 189 | ############################################################################### | ||
| 190 | #·BEGIN·fix·(5·/·186)·for·'service_atd_disabled' | ||
| 191 | ############################################################################### | ||
| 192 | (>&2·echo·"Remediating·rule·5/186:·'service_atd_disabled'") | ||
| 193 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 194 | # | ||
| 195 | #·Example·Call(s): | ||
| Max diff block lines reached; 435598/444374 bytes (98.03%) of diff not shown. | |||
| Offset 109, 202 lines modified | Offset 109, 38 lines modified | ||
| 109 | #·BEGIN·fix·(2·/·182)·for·'ntpd_specify_remote_server' | 109 | #·BEGIN·fix·(2·/·182)·for·'ntpd_specify_remote_server' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | (>&2·echo·"Remediating·rule·2/182:·'ntpd_specify_remote_server'") | 111 | (>&2·echo·"Remediating·rule·2/182:·'ntpd_specify_remote_server'") |
| 112 | #·FIX·FOR·THIS·RULE·IS·MISSING | 112 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 113 | #·END·fix·for·'ntpd_specify_remote_server' | 113 | #·END·fix·for·'ntpd_specify_remote_server' |
| 114 | ############################################################################### | 114 | ############################################################################### |
| 115 | #·BEGIN·fix·(3·/·182)·for·'service_ | 115 | #·BEGIN·fix·(3·/·182)·for·'service_rlogin_disabled' |
| 116 | ############################################################################### | 116 | ############################################################################### |
| 117 | (>&2·echo·"Remediating·rule·3/182:·'service_ | 117 | (>&2·echo·"Remediating·rule·3/182:·'service_rlogin_disabled'") |
| 118 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 119 | # | ||
| 120 | #·Example·Call(s): | ||
| 121 | # | ||
| 122 | #·····service_command·enable·bluetooth | ||
| 123 | #·····service_command·disable·bluetooth.service | ||
| 124 | # | ||
| 125 | #·····Using·xinetd: | ||
| 126 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 127 | # | ||
| 128 | function·service_command·{ | ||
| 129 | #·Load·function·arguments·into·local·variables | ||
| 130 | local·service_state=$1 | ||
| 131 | local·service=$2 | ||
| 132 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 133 | #·Check·sanity·of·the·input | ||
| 134 | if·[·$#·-lt·"2"·] | ||
| 135 | then | ||
| 136 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 137 | ··echo | ||
| 138 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 139 | ··echo·"as·the·last·argument"·· | ||
| 140 | ··echo·"Aborting." | ||
| 141 | ··exit·1 | ||
| 142 | fi | ||
| 143 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 144 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 145 | ··service_util="/usr/bin/systemctl" | ||
| 146 | else | ||
| 147 | ··service_util="/sbin/service" | ||
| 148 | ··chkconfig_util="/sbin/chkconfig" | ||
| 149 | fi | ||
| 150 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 151 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 152 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 153 | ··service_state="enable" | ||
| 154 | ··service_operation="start" | ||
| 155 | ··chkconfig_state="on" | ||
| 156 | else | ||
| 157 | ··service_state="disable" | ||
| 158 | ··service_operation="stop" | ||
| 159 | ··chkconfig_state="off" | ||
| 160 | fi | ||
| 161 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 162 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 163 | ··$service_util·$service·$service_operation | ||
| 164 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 165 | else | ||
| 166 | ··$service_util·$service_operation·$service | ||
| 167 | ··$service_util·$service_state·$service | ||
| 168 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 169 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 170 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 171 | ··$service_util·reset-failed·$service | ||
| 172 | fi | ||
| 173 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 174 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 175 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 176 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 177 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 178 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 179 | ··else | ||
| 180 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 181 | ··fi | ||
| 182 | fi | ||
| 183 | } | ||
| 184 | service_command·enable·crond | ||
| 185 | #·END·fix·for·'service_crond_enabled' | ||
| 186 | ############################################################################### | ||
| 187 | #·BEGIN·fix·(4·/·182)·for·'service_atd_disabled' | ||
| 188 | ############################################################################### | ||
| 189 | (>&2·echo·"Remediating·rule·4/182:·'service_atd_disabled'") | ||
| 190 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 191 | # | ||
| 192 | #·Example·Call(s): | ||
| 193 | # | ||
| 194 | #·····service_command·enable·bluetooth | ||
| 195 | #·····service_command·disable·bluetooth.service | ||
| 196 | # | ||
| 197 | #·····Using·xinetd: | ||
| 198 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 199 | # | ||
| 200 | function·service_command·{ | ||
| 201 | #·Load·function·arguments·into·local·variables | ||
| 202 | local·service_state=$1 | ||
| 203 | local·service=$2 | ||
| 204 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 205 | #·Check·sanity·of·the·input | ||
| 206 | if·[·$#·-lt·"2"·] | ||
| 207 | then | ||
| 208 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 209 | ··echo | ||
| 210 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 211 | ··echo·"as·the·last·argument"·· | ||
| 212 | ··echo·"Aborting." | ||
| 213 | ··exit·1 | ||
| 214 | fi | ||
| 215 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 216 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 217 | ··service_util="/usr/bin/systemctl" | ||
| 218 | else | ||
| 219 | ··service_util="/sbin/service" | ||
| 220 | ··chkconfig_util="/sbin/chkconfig" | ||
| 221 | fi | ||
| Max diff block lines reached; 433117/439084 bytes (98.64%) of diff not shown. | |||
| Offset 25, 38 lines modified | Offset 25, 31 lines modified | ||
| 25 | # | 25 | # |
| 26 | #·How·to·apply·this·remediation·role: | 26 | #·How·to·apply·this·remediation·role: |
| 27 | #·$·sudo·./remediation-role.sh | 27 | #·$·sudo·./remediation-role.sh |
| 28 | # | 28 | # |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | #·BEGIN·fix·(1·/·250)·for·'ftp_ | 31 | #·BEGIN·fix·(1·/·250)·for·'ftp_present_banner' |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | (>&2·echo·"Remediating·rule·1/250:·'ftp_ | 33 | (>&2·echo·"Remediating·rule·1/250:·'ftp_present_banner'") |
| 34 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 35 | #·END·fix·for·'ftp_log_transactions' | ||
| 36 | ############################################################################### | ||
| 37 | #·BEGIN·fix·(2·/·250)·for·'ftp_present_banner' | ||
| 38 | ############################################################################### | ||
| 39 | (>&2·echo·"Remediating·rule·2/250:·'ftp_present_banner'") | ||
| 40 | #·FIX·FOR·THIS·RULE·IS·MISSING | 34 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 41 | #·END·fix·for·'ftp_present_banner' | 35 | #·END·fix·for·'ftp_present_banner' |
| 42 | ############################################################################### | 36 | ############################################################################### |
| 43 | #·BEGIN·fix·( | 37 | #·BEGIN·fix·(2·/·250)·for·'ftp_log_transactions' |
| 44 | ############################################################################### | 38 | ############################################################################### |
| 45 | (>&2·echo·"Remediating·rule· | 39 | (>&2·echo·"Remediating·rule·2/250:·'ftp_log_transactions'") |
| 46 | #·FIX·FOR·THIS·RULE·IS·MISSING | 40 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 47 | #·END·fix·for·' | 41 | #·END·fix·for·'ftp_log_transactions' |
| 48 | ############################################################################### | 42 | ############################################################################### |
| 49 | #·BEGIN·fix·( | 43 | #·BEGIN·fix·(3·/·250)·for·'service_ntpd_enabled' |
| 50 | ############################################################################### | 44 | ############################################################################### |
| 51 | (>&2·echo·"Remediating·rule· | 45 | (>&2·echo·"Remediating·rule·3/250:·'service_ntpd_enabled'") |
| 52 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 46 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 53 | # | 47 | # |
| 54 | #·Example·Call(s): | 48 | #·Example·Call(s): |
| 55 | # | 49 | # |
| 56 | #·····service_command·enable·bluetooth | 50 | #·····service_command·enable·bluetooth |
| 57 | #·····service_command·disable·bluetooth.service | 51 | #·····service_command·disable·bluetooth.service |
| 58 | # | 52 | # |
| Offset 128, 274 lines modified | Offset 121, 59 lines modified | ||
| 128 | } | 121 | } |
| 129 | service_command·enable·ntpd | 122 | service_command·enable·ntpd |
| 130 | #·END·fix·for·'service_ntpd_enabled' | 123 | #·END·fix·for·'service_ntpd_enabled' |
| 131 | ############################################################################### | 124 | ############################################################################### |
| 132 | #·BEGIN·fix·( | 125 | #·BEGIN·fix·(4·/·250)·for·'ntpd_specify_remote_server' |
| 133 | ############################################################################### | 126 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule· | 127 | (>&2·echo·"Remediating·rule·4/250:·'ntpd_specify_remote_server'") |
| 135 | #·FIX·FOR·THIS·RULE·IS·MISSING | 128 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 136 | #·END·fix·for·'ntpd_specify_remote_server' | 129 | #·END·fix·for·'ntpd_specify_remote_server' |
| 137 | ############################################################################### | 130 | ############################################################################### |
| 138 | #·BEGIN·fix·( | 131 | #·BEGIN·fix·(5·/·250)·for·'snmpd_use_newer_protocol' |
| 139 | ############################################################################### | 132 | ############################################################################### |
| 140 | (>&2·echo·"Remediating·rule· | 133 | (>&2·echo·"Remediating·rule·5/250:·'snmpd_use_newer_protocol'") |
| 141 | #·FIX·FOR·THIS·RULE·IS·MISSING | 134 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 142 | #·END·fix·for·'snmpd_use_newer_protocol' | 135 | #·END·fix·for·'snmpd_use_newer_protocol' |
| 143 | ############################################################################### | 136 | ############################################################################### |
| 144 | #·BEGIN·fix·( | 137 | #·BEGIN·fix·(6·/·250)·for·'snmpd_not_default_password' |
| 145 | ############################################################################### | 138 | ############################################################################### |
| 146 | (>&2·echo·"Remediating·rule· | 139 | (>&2·echo·"Remediating·rule·6/250:·'snmpd_not_default_password'") |
| 147 | #·FIX·FOR·THIS·RULE·IS·MISSING | 140 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 148 | #·END·fix·for·'snmpd_not_default_password' | 141 | #·END·fix·for·'snmpd_not_default_password' |
| 149 | ############################################################################### | 142 | ############################################################################### |
| 150 | #·BEGIN·fix·( | 143 | #·BEGIN·fix·(7·/·250)·for·'service_rlogin_disabled' |
| 151 | ############################################################################### | ||
| 152 | (>&2·echo·"Remediating·rule·8/250:·'service_crond_enabled'") | ||
| 153 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 154 | # | ||
| 155 | #·Example·Call(s): | ||
| 156 | # | ||
| 157 | #·····service_command·enable·bluetooth | ||
| 158 | #·····service_command·disable·bluetooth.service | ||
| 159 | # | ||
| 160 | #·····Using·xinetd: | ||
| 161 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 162 | # | ||
| 163 | function·service_command·{ | ||
| 164 | #·Load·function·arguments·into·local·variables | ||
| 165 | local·service_state=$1 | ||
| 166 | local·service=$2 | ||
| 167 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 168 | #·Check·sanity·of·the·input | ||
| 169 | if·[·$#·-lt·"2"·] | ||
| 170 | then | ||
| 171 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 172 | ··echo | ||
| 173 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 174 | ··echo·"as·the·last·argument"·· | ||
| 175 | ··echo·"Aborting." | ||
| 176 | ··exit·1 | ||
| 177 | fi | ||
| 178 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 179 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 180 | ··service_util="/usr/bin/systemctl" | ||
| 181 | else | ||
| 182 | ··service_util="/sbin/service" | ||
| 183 | ··chkconfig_util="/sbin/chkconfig" | ||
| 184 | fi | ||
| 185 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 186 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 187 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 188 | ··service_state="enable" | ||
| 189 | ··service_operation="start" | ||
| 190 | ··chkconfig_state="on" | ||
| 191 | else | ||
| 192 | ··service_state="disable" | ||
| 193 | ··service_operation="stop" | ||
| 194 | ··chkconfig_state="off" | ||
| 195 | fi | ||
| 196 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 197 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 198 | ··$service_util·$service·$service_operation | ||
| 199 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 200 | else | ||
| 201 | ··$service_util·$service_operation·$service | ||
| 202 | ··$service_util·$service_state·$service | ||
| 203 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 204 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| Max diff block lines reached; 606625/617308 bytes (98.27%) of diff not shown. | |||
| Offset 271, 143 lines modified | Offset 271, 17 lines modified | ||
| 271 | } | 271 | } |
| 272 | package_remove·httpd | 272 | package_remove·httpd |
| 273 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 274 | ############################################################################### | 274 | ############################################################################### |
| 275 | #·BEGIN·fix·(5·/·223)·for·' | 275 | #·BEGIN·fix·(5·/·223)·for·'service_ntpd_enabled' |
| 276 | ############################################################################### | 276 | ############################################################################### |
| 277 | (>&2·echo·"Remediating·rule·5/223:·' | 277 | (>&2·echo·"Remediating·rule·5/223:·'service_ntpd_enabled'") |
| 278 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 279 | # | ||
| 280 | #·Example·Call(s): | ||
| 281 | # | ||
| 282 | #·····package_remove·telnet-server | ||
| 283 | # | ||
| 284 | function·package_remove·{ | ||
| 285 | #·Load·function·arguments·into·local·variables | ||
| 286 | local·package="$1" | ||
| 287 | #·Check·sanity·of·the·input | ||
| 288 | if·[·$#·-ne·"1"·] | ||
| 289 | then | ||
| 290 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 291 | ··echo·"Aborting." | ||
| 292 | ··exit·1 | ||
| 293 | fi | ||
| 294 | if·which·dnf·;·then | ||
| 295 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 296 | ····dnf·remove·-y·"$package" | ||
| 297 | ··fi | ||
| 298 | elif·which·yum·;·then | ||
| 299 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 300 | ····yum·remove·-y·"$package" | ||
| 301 | ··fi | ||
| 302 | elif·which·apt-get·;·then | ||
| 303 | ··apt-get·remove·-y·"$package" | ||
| 304 | else | ||
| 305 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 306 | ··echo·"Aborting." | ||
| 307 | ··exit·1 | ||
| 308 | fi | ||
| 309 | } | ||
| 310 | package_remove·dhcp | ||
| 311 | #·END·fix·for·'package_dhcp_removed' | ||
| 312 | ############################################################################### | ||
| 313 | #·BEGIN·fix·(6·/·223)·for·'service_dhcpd_disabled' | ||
| 314 | ############################################################################### | ||
| 315 | (>&2·echo·"Remediating·rule·6/223:·'service_dhcpd_disabled'") | ||
| 316 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 317 | # | ||
| 318 | #·Example·Call(s): | ||
| 319 | # | ||
| 320 | #·····service_command·enable·bluetooth | ||
| 321 | #·····service_command·disable·bluetooth.service | ||
| 322 | # | ||
| 323 | #·····Using·xinetd: | ||
| 324 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 325 | # | ||
| 326 | function·service_command·{ | ||
| 327 | #·Load·function·arguments·into·local·variables | ||
| 328 | local·service_state=$1 | ||
| 329 | local·service=$2 | ||
| 330 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 331 | #·Check·sanity·of·the·input | ||
| 332 | if·[·$#·-lt·"2"·] | ||
| 333 | then | ||
| 334 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 335 | ··echo | ||
| 336 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 337 | ··echo·"as·the·last·argument"·· | ||
| 338 | ··echo·"Aborting." | ||
| 339 | ··exit·1 | ||
| 340 | fi | ||
| 341 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 342 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 343 | ··service_util="/usr/bin/systemctl" | ||
| 344 | else | ||
| 345 | ··service_util="/sbin/service" | ||
| 346 | ··chkconfig_util="/sbin/chkconfig" | ||
| 347 | fi | ||
| 348 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 349 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 350 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 351 | ··service_state="enable" | ||
| 352 | ··service_operation="start" | ||
| 353 | ··chkconfig_state="on" | ||
| 354 | else | ||
| 355 | ··service_state="disable" | ||
| 356 | ··service_operation="stop" | ||
| 357 | ··chkconfig_state="off" | ||
| 358 | fi | ||
| 359 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 360 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 361 | ··$service_util·$service·$service_operation | ||
| 362 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 363 | else | ||
| 364 | ··$service_util·$service_operation·$service | ||
| 365 | ··$service_util·$service_state·$service | ||
| 366 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 367 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 368 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 369 | ··$service_util·reset-failed·$service | ||
| 370 | fi | ||
| 371 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 372 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 373 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 374 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 375 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 376 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 377 | ··else | ||
| 378 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 379 | ··fi | ||
| 380 | fi | ||
| Max diff block lines reached; 492856/497138 bytes (99.14%) of diff not shown. | |||
| Offset 90, 48 lines modified | Offset 90, 48 lines modified | ||
| 90 | # | 90 | # |
| 91 | #·Stop·rlogin.socket·if·currently·running | 91 | #·Stop·rlogin.socket·if·currently·running |
| 92 | # | 92 | # |
| 93 | systemctl·stop·rlogin.socket | 93 | systemctl·stop·rlogin.socket |
| 94 | #·END·fix·for·'service_rlogin_disabled' | 94 | #·END·fix·for·'service_rlogin_disabled' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | #·BEGIN·fix·(3·/·213)·for·'service_r | 96 | #·BEGIN·fix·(3·/·213)·for·'service_rsh_disabled' |
| 97 | ############################################################################### | 97 | ############################################################################### |
| 98 | (>&2·echo·"Remediating·rule·3/213:·'service_r | 98 | (>&2·echo·"Remediating·rule·3/213:·'service_rsh_disabled'") |
| 99 | grep·-qi·disable·/etc/xinetd.d/r | 99 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 100 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 100 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 101 | # | 101 | # |
| 102 | #·Disable·r | 102 | #·Disable·rsh.socket·for·all·systemd·targets |
| 103 | # | 103 | # |
| 104 | systemctl·disable·r | 104 | systemctl·disable·rsh.socket |
| 105 | # | 105 | # |
| 106 | #·Stop·r | 106 | #·Stop·rsh.socket·if·currently·running |
| 107 | # | 107 | # |
| 108 | systemctl·stop·r | 108 | systemctl·stop·rsh.socket |
| 109 | #·END·fix·for·'service_r | 109 | #·END·fix·for·'service_rsh_disabled' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | #·BEGIN·fix·(4·/·213)·for·'service_r | 111 | #·BEGIN·fix·(4·/·213)·for·'service_rexec_disabled' |
| 112 | ############################################################################### | 112 | ############################################################################### |
| 113 | (>&2·echo·"Remediating·rule·4/213:·'service_r | 113 | (>&2·echo·"Remediating·rule·4/213:·'service_rexec_disabled'") |
| 114 | grep·-qi·disable·/etc/xinetd.d/r | 114 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 115 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 115 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 116 | # | 116 | # |
| 117 | #·Disable·r | 117 | #·Disable·rexec.socket·for·all·systemd·targets |
| 118 | # | 118 | # |
| 119 | systemctl·disable·r | 119 | systemctl·disable·rexec.socket |
| 120 | # | 120 | # |
| 121 | #·Stop·r | 121 | #·Stop·rexec.socket·if·currently·running |
| 122 | # | 122 | # |
| 123 | systemctl·stop·r | 123 | systemctl·stop·rexec.socket |
| 124 | #·END·fix·for·'service_r | 124 | #·END·fix·for·'service_rexec_disabled' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | #·BEGIN·fix·(5·/·213)·for·'no_rsh_trust_files' | 126 | #·BEGIN·fix·(5·/·213)·for·'no_rsh_trust_files' |
| 127 | ############################################################################### | 127 | ############################################################################### |
| 128 | (>&2·echo·"Remediating·rule·5/213:·'no_rsh_trust_files'") | 128 | (>&2·echo·"Remediating·rule·5/213:·'no_rsh_trust_files'") |
| 129 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; | 129 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; |
| Offset 369, 61 lines modified | Offset 369, 17 lines modified | ||
| 369 | } | 369 | } |
| 370 | service_command·disable·tftp | 370 | service_command·disable·tftp |
| 371 | #·END·fix·for·'service_tftp_disabled' | 371 | #·END·fix·for·'service_tftp_disabled' |
| 372 | ############################################################################### | 372 | ############################################################################### |
| 373 | #·BEGIN·fix·(11·/·213)·for·' | 373 | #·BEGIN·fix·(11·/·213)·for·'service_xinetd_disabled' |
| 374 | ############################################################################### | ||
| 375 | (>&2·echo·"Remediating·rule·11/213:·'package_tcp_wrappers_installed'") | ||
| 376 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 377 | # | ||
| 378 | #·Example·Call(s): | ||
| 379 | # | ||
| 380 | #·····package_install·aide | ||
| 381 | # | ||
| 382 | function·package_install·{ | ||
| 383 | #·Load·function·arguments·into·local·variables | ||
| 384 | local·package="$1" | ||
| 385 | #·Check·sanity·of·the·input | ||
| 386 | if·[·$#·-ne·"1"·] | ||
| 387 | then | ||
| 388 | ··echo·"Usage:·package_install·'package_name'" | ||
| 389 | ··echo·"Aborting." | ||
| 390 | ··exit·1 | ||
| 391 | fi | ||
| 392 | if·which·dnf·;·then | ||
| 393 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 394 | ····dnf·install·-y·"$package" | ||
| 395 | ··fi | ||
| 396 | elif·which·yum·;·then | ||
| 397 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 398 | ····yum·install·-y·"$package" | ||
| 399 | ··fi | ||
| 400 | elif·which·apt-get·;·then | ||
| 401 | ··apt-get·install·-y·"$package" | ||
| 402 | else | ||
| 403 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 404 | ··echo·"Aborting." | ||
| 405 | ··exit·1 | ||
| 406 | fi | ||
| 407 | } | ||
| 408 | package_install·tcp_wrappers | ||
| 409 | #·END·fix·for·'package_tcp_wrappers_installed' | ||
| 410 | ############################################################################### | ||
| 411 | #·BEGIN·fix·(12·/·213)·for·'service_xinetd_disabled' | ||
| 412 | ############################################################################### | 374 | ############################################################################### |
| 413 | (>&2·echo·"Remediating·rule·1 | 375 | (>&2·echo·"Remediating·rule·11/213:·'service_xinetd_disabled'") |
| 414 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 376 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 415 | # | 377 | # |
| 416 | #·Example·Call(s): | 378 | #·Example·Call(s): |
| 417 | # | 379 | # |
| 418 | #·····service_command·enable·bluetooth | 380 | #·····service_command·enable·bluetooth |
| 419 | #·····service_command·disable·bluetooth.service | 381 | #·····service_command·disable·bluetooth.service |
| 420 | # | 382 | # |
| Offset 495, 14 lines modified | Offset 451, 58 lines modified | ||
| 495 | } | 451 | } |
| 496 | service_command·disable·xinetd | 452 | service_command·disable·xinetd |
| 497 | #·END·fix·for·'service_xinetd_disabled' | 453 | #·END·fix·for·'service_xinetd_disabled' |
| 498 | ############################################################################### | 454 | ############################################################################### |
| 455 | #·BEGIN·fix·(12·/·213)·for·'package_tcp_wrappers_installed' | ||
| 456 | ############################################################################### | ||
| 457 | (>&2·echo·"Remediating·rule·12/213:·'package_tcp_wrappers_installed'") | ||
| 458 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 459 | # | ||
| 460 | #·Example·Call(s): | ||
| 461 | # | ||
| 462 | #·····package_install·aide | ||
| 463 | # | ||
| Max diff block lines reached; 140250/145947 bytes (96.10%) of diff not shown. | |||
| Offset 969, 28 lines modified | Offset 969, 28 lines modified | ||
| 969 | ··fi | 969 | ··fi |
| 970 | } | 970 | } |
| 971 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_source_route'·"$sysctl_net_ipv4_conf_default_accept_source_route_value"·'CCE-80162-1' | 971 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_source_route'·"$sysctl_net_ipv4_conf_default_accept_source_route_value"·'CCE-80162-1' |
| 972 | #·END·fix·for·'sysctl_net_ipv4_conf_default_accept_source_route' | 972 | #·END·fix·for·'sysctl_net_ipv4_conf_default_accept_source_route' |
| 973 | ############################################################################### | 973 | ############################################################################### |
| 974 | #·BEGIN·fix·(15·/·102)·for·'sysctl_net_ipv4_ | 974 | #·BEGIN·fix·(15·/·102)·for·'sysctl_net_ipv4_conf_default_accept_redirects' |
| 975 | ############################################################################### | 975 | ############################################################################### |
| 976 | (>&2·echo·"Remediating·rule·15/102:·'sysctl_net_ipv4_ | 976 | (>&2·echo·"Remediating·rule·15/102:·'sysctl_net_ipv4_conf_default_accept_redirects'") |
| 977 | sysctl_net_ipv4_ | 977 | sysctl_net_ipv4_conf_default_accept_redirects_value="0" |
| 978 | # | 978 | # |
| 979 | #·Set·runtime·for·net.ipv4. | 979 | #·Set·runtime·for·net.ipv4.conf.default.accept_redirects |
| 980 | # | 980 | # |
| 981 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 981 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf.default.accept_redirects=$sysctl_net_ipv4_conf_default_accept_redirects_value |
| 982 | # | 982 | # |
| 983 | #·If·net.ipv4. | 983 | #·If·net.ipv4.conf.default.accept_redirects·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 984 | #» else,·add·"net.ipv4. | 984 | #» else,·add·"net.ipv4.conf.default.accept_redirects·=·value"·to·/etc/sysctl.conf |
| 985 | # | 985 | # |
| 986 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 986 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 987 | #·it·does·not·exist. | 987 | #·it·does·not·exist. |
| 988 | # | 988 | # |
| 989 | #·Expects·arguments: | 989 | #·Expects·arguments: |
| 990 | # | 990 | # |
| 991 | #·config_file:» » Configuration·file·that·will·be·modified | 991 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1062, 32 lines modified | Offset 1062, 32 lines modified | ||
| 1062 | ··else | 1062 | ··else |
| 1063 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1063 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1064 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1064 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1065 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1065 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1066 | ··fi | 1066 | ··fi |
| 1067 | } | 1067 | } |
| 1068 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4. | 1068 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_redirects'·"$sysctl_net_ipv4_conf_default_accept_redirects_value"·'CCE-80163-9' |
| 1069 | #·END·fix·for·'sysctl_net_ipv4_ | 1069 | #·END·fix·for·'sysctl_net_ipv4_conf_default_accept_redirects' |
| 1070 | ############################################################################### | 1070 | ############################################################################### |
| 1071 | #·BEGIN·fix·(16·/·102)·for·'sysctl_net_ipv4_conf_ | 1071 | #·BEGIN·fix·(16·/·102)·for·'sysctl_net_ipv4_conf_all_accept_redirects' |
| 1072 | ############################################################################### | 1072 | ############################################################################### |
| 1073 | (>&2·echo·"Remediating·rule·16/102:·'sysctl_net_ipv4_conf_ | 1073 | (>&2·echo·"Remediating·rule·16/102:·'sysctl_net_ipv4_conf_all_accept_redirects'") |
| 1074 | sysctl_net_ipv4_conf_ | 1074 | sysctl_net_ipv4_conf_all_accept_redirects_value="0" |
| 1075 | # | 1075 | # |
| 1076 | #·Set·runtime·for·net.ipv4.conf. | 1076 | #·Set·runtime·for·net.ipv4.conf.all.accept_redirects |
| 1077 | # | 1077 | # |
| 1078 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf. | 1078 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf.all.accept_redirects=$sysctl_net_ipv4_conf_all_accept_redirects_value |
| 1079 | # | 1079 | # |
| 1080 | #·If·net.ipv4.conf. | 1080 | #·If·net.ipv4.conf.all.accept_redirects·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1081 | #» else,·add·"net.ipv4.conf. | 1081 | #» else,·add·"net.ipv4.conf.all.accept_redirects·=·value"·to·/etc/sysctl.conf |
| 1082 | # | 1082 | # |
| 1083 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1083 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1084 | #·it·does·not·exist. | 1084 | #·it·does·not·exist. |
| 1085 | # | 1085 | # |
| 1086 | #·Expects·arguments: | 1086 | #·Expects·arguments: |
| 1087 | # | 1087 | # |
| 1088 | #·config_file:» » Configuration·file·that·will·be·modified | 1088 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1159, 32 lines modified | Offset 1159, 32 lines modified | ||
| 1159 | ··else | 1159 | ··else |
| 1160 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1160 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1161 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1161 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1162 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1162 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1163 | ··fi | 1163 | ··fi |
| 1164 | } | 1164 | } |
| 1165 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf. | 1165 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.all.accept_redirects'·"$sysctl_net_ipv4_conf_all_accept_redirects_value"·'CCE-80158-9' |
| 1166 | #·END·fix·for·'sysctl_net_ipv4_conf_ | 1166 | #·END·fix·for·'sysctl_net_ipv4_conf_all_accept_redirects' |
| 1167 | ############################################################################### | 1167 | ############################################################################### |
| 1168 | #·BEGIN·fix·(17·/·102)·for·'sysctl_net_ipv4_ | 1168 | #·BEGIN·fix·(17·/·102)·for·'sysctl_net_ipv4_icmp_echo_ignore_broadcasts' |
| 1169 | ############################################################################### | 1169 | ############################################################################### |
| 1170 | (>&2·echo·"Remediating·rule·17/102:·'sysctl_net_ipv4_ | 1170 | (>&2·echo·"Remediating·rule·17/102:·'sysctl_net_ipv4_icmp_echo_ignore_broadcasts'") |
| 1171 | sysctl_net_ipv4_ | 1171 | sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value="1" |
| 1172 | # | 1172 | # |
| 1173 | #·Set·runtime·for·net.ipv4. | 1173 | #·Set·runtime·for·net.ipv4.icmp_echo_ignore_broadcasts |
| 1174 | # | 1174 | # |
| 1175 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 1175 | /sbin/sysctl·-q·-n·-w·net.ipv4.icmp_echo_ignore_broadcasts=$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value |
| 1176 | # | 1176 | # |
| 1177 | #·If·net.ipv4. | 1177 | #·If·net.ipv4.icmp_echo_ignore_broadcasts·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1178 | #» else,·add·"net.ipv4. | 1178 | #» else,·add·"net.ipv4.icmp_echo_ignore_broadcasts·=·value"·to·/etc/sysctl.conf |
| 1179 | # | 1179 | # |
| 1180 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1180 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1181 | #·it·does·not·exist. | 1181 | #·it·does·not·exist. |
| 1182 | # | 1182 | # |
| 1183 | #·Expects·arguments: | 1183 | #·Expects·arguments: |
| 1184 | # | 1184 | # |
| 1185 | #·config_file:» » Configuration·file·that·will·be·modified | 1185 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1256, 32 lines modified | Offset 1256, 32 lines modified | ||
| 1256 | ··else | 1256 | ··else |
| 1257 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1257 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1258 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1258 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1259 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1259 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1260 | ··fi | 1260 | ··fi |
| 1261 | } | 1261 | } |
| 1262 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4. | 1262 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.icmp_echo_ignore_broadcasts'·"$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"·'CCE-80165-4' |
| 1263 | #·END·fix·for·'sysctl_net_ipv4_ | 1263 | #·END·fix·for·'sysctl_net_ipv4_icmp_echo_ignore_broadcasts' |
| 1264 | ############################################################################### | 1264 | ############################################################################### |
| 1265 | #·BEGIN·fix·(18·/·102)·for·'sysctl_net_ipv4_ | 1265 | #·BEGIN·fix·(18·/·102)·for·'sysctl_net_ipv4_tcp_syncookies' |
| 1266 | ############################################################################### | 1266 | ############################################################################### |
| 1267 | (>&2·echo·"Remediating·rule·18/102:·'sysctl_net_ipv4_ | 1267 | (>&2·echo·"Remediating·rule·18/102:·'sysctl_net_ipv4_tcp_syncookies'") |
| 1268 | sysctl_net_ipv4_ | 1268 | sysctl_net_ipv4_tcp_syncookies_value="1" |
| 1269 | # | 1269 | # |
| 1270 | #·Set·runtime·for·net.ipv4. | 1270 | #·Set·runtime·for·net.ipv4.tcp_syncookies |
| 1271 | # | 1271 | # |
| 1272 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 1272 | /sbin/sysctl·-q·-n·-w·net.ipv4.tcp_syncookies=$sysctl_net_ipv4_tcp_syncookies_value |
| 1273 | # | 1273 | # |
| 1274 | #·If·net.ipv4. | 1274 | #·If·net.ipv4.tcp_syncookies·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1275 | #» else,·add·"net.ipv4. | 1275 | #» else,·add·"net.ipv4.tcp_syncookies·=·value"·to·/etc/sysctl.conf |
| 1276 | # | 1276 | # |
| 1277 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1277 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1278 | #·it·does·not·exist. | 1278 | #·it·does·not·exist. |
| 1279 | # | 1279 | # |
| 1280 | #·Expects·arguments: | 1280 | #·Expects·arguments: |
| 1281 | # | 1281 | # |
| 1282 | #·config_file:» » Configuration·file·that·will·be·modified | 1282 | #·config_file:» » Configuration·file·that·will·be·modified |
| Max diff block lines reached; 70926/79104 bytes (89.66%) of diff not shown. | |||
| Offset 88, 48 lines modified | Offset 88, 48 lines modified | ||
| 88 | # | 88 | # |
| 89 | #·Stop·rlogin.socket·if·currently·running | 89 | #·Stop·rlogin.socket·if·currently·running |
| 90 | # | 90 | # |
| 91 | systemctl·stop·rlogin.socket | 91 | systemctl·stop·rlogin.socket |
| 92 | #·END·fix·for·'service_rlogin_disabled' | 92 | #·END·fix·for·'service_rlogin_disabled' |
| 93 | ############################################################################### | 93 | ############################################################################### |
| 94 | #·BEGIN·fix·(3·/·149)·for·'service_r | 94 | #·BEGIN·fix·(3·/·149)·for·'service_rsh_disabled' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | (>&2·echo·"Remediating·rule·3/149:·'service_r | 96 | (>&2·echo·"Remediating·rule·3/149:·'service_rsh_disabled'") |
| 97 | grep·-qi·disable·/etc/xinetd.d/r | 97 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 98 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 98 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 99 | # | 99 | # |
| 100 | #·Disable·r | 100 | #·Disable·rsh.socket·for·all·systemd·targets |
| 101 | # | 101 | # |
| 102 | systemctl·disable·r | 102 | systemctl·disable·rsh.socket |
| 103 | # | 103 | # |
| 104 | #·Stop·r | 104 | #·Stop·rsh.socket·if·currently·running |
| 105 | # | 105 | # |
| 106 | systemctl·stop·r | 106 | systemctl·stop·rsh.socket |
| 107 | #·END·fix·for·'service_r | 107 | #·END·fix·for·'service_rsh_disabled' |
| 108 | ############################################################################### | 108 | ############################################################################### |
| 109 | #·BEGIN·fix·(4·/·149)·for·'service_r | 109 | #·BEGIN·fix·(4·/·149)·for·'service_rexec_disabled' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | (>&2·echo·"Remediating·rule·4/149:·'service_r | 111 | (>&2·echo·"Remediating·rule·4/149:·'service_rexec_disabled'") |
| 112 | grep·-qi·disable·/etc/xinetd.d/r | 112 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 113 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 113 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 114 | # | 114 | # |
| 115 | #·Disable·r | 115 | #·Disable·rexec.socket·for·all·systemd·targets |
| 116 | # | 116 | # |
| 117 | systemctl·disable·r | 117 | systemctl·disable·rexec.socket |
| 118 | # | 118 | # |
| 119 | #·Stop·r | 119 | #·Stop·rexec.socket·if·currently·running |
| 120 | # | 120 | # |
| 121 | systemctl·stop·r | 121 | systemctl·stop·rexec.socket |
| 122 | #·END·fix·for·'service_r | 122 | #·END·fix·for·'service_rexec_disabled' |
| 123 | ############################################################################### | 123 | ############################################################################### |
| 124 | #·BEGIN·fix·(5·/·149)·for·'package_rsh-server_removed' | 124 | #·BEGIN·fix·(5·/·149)·for·'package_rsh-server_removed' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | (>&2·echo·"Remediating·rule·5/149:·'package_rsh-server_removed'") | 126 | (>&2·echo·"Remediating·rule·5/149:·'package_rsh-server_removed'") |
| 127 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 127 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 128 | # | 128 | # |
| Offset 2482, 29 lines modified | Offset 2482, 29 lines modified | ||
| 2482 | ··fi | 2482 | ··fi |
| 2483 | } | 2483 | } |
| 2484 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUXTYPE='·$var_selinux_policy_name·'CCE-27279-9'·'%s=%s' | 2484 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUXTYPE='·$var_selinux_policy_name·'CCE-27279-9'·'%s=%s' |
| 2485 | #·END·fix·for·'selinux_policytype' | 2485 | #·END·fix·for·'selinux_policytype' |
| 2486 | ############################################################################### | 2486 | ############################################################################### |
| 2487 | #·BEGIN·fix·(44·/·149)·for·' | 2487 | #·BEGIN·fix·(44·/·149)·for·'enable_selinux_bootloader' |
| 2488 | ############################################################################### | ||
| 2489 | (>&2·echo·"Remediating·rule·44/149:·'selinux_confinement_of_daemons'") | ||
| 2490 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 2491 | #·END·fix·for·'selinux_confinement_of_daemons' | ||
| 2492 | ############################################################################### | 2488 | ############################################################################### |
| 2493 | 2489 | (>&2·echo·"Remediating·rule·44/149:·'enable_selinux_bootloader'") | |
| 2494 | ############################################################################### | ||
| 2495 | (>&2·echo·"Remediating·rule·45/149:·'enable_selinux_bootloader'") | ||
| 2496 | sed·-i·--follow-symlinks·"s/selinux=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* | 2490 | sed·-i·--follow-symlinks·"s/selinux=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* |
| 2497 | sed·-i·--follow-symlinks·"s/enforcing=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* | 2491 | sed·-i·--follow-symlinks·"s/enforcing=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* |
| 2498 | #·END·fix·for·'enable_selinux_bootloader' | 2492 | #·END·fix·for·'enable_selinux_bootloader' |
| 2499 | ############################################################################### | 2493 | ############################################################################### |
| 2494 | #·BEGIN·fix·(45·/·149)·for·'selinux_confinement_of_daemons' | ||
| 2495 | ############################################################################### | ||
| 2496 | (>&2·echo·"Remediating·rule·45/149:·'selinux_confinement_of_daemons'") | ||
| 2497 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 2498 | #·END·fix·for·'selinux_confinement_of_daemons' | ||
| 2499 | ############################################################################### | ||
| 2500 | #·BEGIN·fix·(46·/·149)·for·'selinux_state' | 2500 | #·BEGIN·fix·(46·/·149)·for·'selinux_state' |
| 2501 | ############################################################################### | 2501 | ############################################################################### |
| 2502 | (>&2·echo·"Remediating·rule·46/149:·'selinux_state'") | 2502 | (>&2·echo·"Remediating·rule·46/149:·'selinux_state'") |
| 2503 | var_selinux_state="enforcing" | 2503 | var_selinux_state="enforcing" |
| 2504 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 2504 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 2505 | #·it·does·not·exist. | 2505 | #·it·does·not·exist. |
| Offset 2587, 35 lines modified | Offset 2587, 35 lines modified | ||
| 2587 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'CCE-27334-2'·'%s=%s' | 2587 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'CCE-27334-2'·'%s=%s' |
| 2588 | fixfiles·onboot | 2588 | fixfiles·onboot |
| 2589 | fixfiles·-f·relabel | 2589 | fixfiles·-f·relabel |
| 2590 | #·END·fix·for·'selinux_state' | 2590 | #·END·fix·for·'selinux_state' |
| 2591 | ############################################################################### | 2591 | ############################################################################### |
| 2592 | #·BEGIN·fix·(47·/·149)·for·' | 2592 | #·BEGIN·fix·(47·/·149)·for·'no_direct_root_logins' |
| 2593 | ############################################################################### | 2593 | ############################################################################### |
| 2594 | (>&2·echo·"Remediating·rule·47/149:·' | 2594 | (>&2·echo·"Remediating·rule·47/149:·'no_direct_root_logins'") |
| 2595 | sed·-i·'/ttyS/d'·/etc/securetty | ||
| 2596 | #·END·fix·for·'restrict_serial_port_logins' | ||
| 2597 | ############################################################################### | ||
| 2598 | #·BEGIN·fix·(48·/·149)·for·'no_direct_root_logins' | ||
| 2599 | ############################################################################### | ||
| 2600 | (>&2·echo·"Remediating·rule·48/149:·'no_direct_root_logins'") | ||
| 2601 | echo·>·/etc/securetty | 2595 | echo·>·/etc/securetty |
| 2602 | #·END·fix·for·'no_direct_root_logins' | 2596 | #·END·fix·for·'no_direct_root_logins' |
| 2603 | ############################################################################### | 2597 | ############################################################################### |
| 2604 | #·BEGIN·fix·(4 | 2598 | #·BEGIN·fix·(48·/·149)·for·'securetty_root_login_console_only' |
| 2605 | ############################################################################### | 2599 | ############################################################################### |
| 2606 | (>&2·echo·"Remediating·rule·4 | 2600 | (>&2·echo·"Remediating·rule·48/149:·'securetty_root_login_console_only'") |
| 2607 | sed·-i·'/^vc\//d'·/etc/securetty | 2601 | sed·-i·'/^vc\//d'·/etc/securetty |
| 2608 | #·END·fix·for·'securetty_root_login_console_only' | 2602 | #·END·fix·for·'securetty_root_login_console_only' |
| 2609 | ############################################################################### | 2603 | ############################################################################### |
| 2604 | #·BEGIN·fix·(49·/·149)·for·'restrict_serial_port_logins' | ||
| 2605 | ############################################################################### | ||
| 2606 | (>&2·echo·"Remediating·rule·49/149:·'restrict_serial_port_logins'") | ||
| 2607 | sed·-i·'/ttyS/d'·/etc/securetty | ||
| 2608 | #·END·fix·for·'restrict_serial_port_logins' | ||
| 2609 | ############################################################################### | ||
| 2610 | #·BEGIN·fix·(50·/·149)·for·'no_empty_passwords' | 2610 | #·BEGIN·fix·(50·/·149)·for·'no_empty_passwords' |
| 2611 | ############################################################################### | 2611 | ############################################################################### |
| 2612 | (>&2·echo·"Remediating·rule·50/149:·'no_empty_passwords'") | 2612 | (>&2·echo·"Remediating·rule·50/149:·'no_empty_passwords'") |
| 2613 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth | 2613 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth |
| 2614 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | 2614 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth |
| 2615 | #·END·fix·for·'no_empty_passwords' | 2615 | #·END·fix·for·'no_empty_passwords' |
| Max diff block lines reached; 121413/128266 bytes (94.66%) of diff not shown. | |||
| Offset 96, 48 lines modified | Offset 96, 48 lines modified | ||
| 96 | # | 96 | # |
| 97 | #·Stop·rlogin.socket·if·currently·running | 97 | #·Stop·rlogin.socket·if·currently·running |
| 98 | # | 98 | # |
| 99 | systemctl·stop·rlogin.socket | 99 | systemctl·stop·rlogin.socket |
| 100 | #·END·fix·for·'service_rlogin_disabled' | 100 | #·END·fix·for·'service_rlogin_disabled' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | #·BEGIN·fix·(3·/·358)·for·'service_r | 102 | #·BEGIN·fix·(3·/·358)·for·'service_rsh_disabled' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule·3/358:·'service_r | 104 | (>&2·echo·"Remediating·rule·3/358:·'service_rsh_disabled'") |
| 105 | grep·-qi·disable·/etc/xinetd.d/r | 105 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 106 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 106 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 107 | # | 107 | # |
| 108 | #·Disable·r | 108 | #·Disable·rsh.socket·for·all·systemd·targets |
| 109 | # | 109 | # |
| 110 | systemctl·disable·r | 110 | systemctl·disable·rsh.socket |
| 111 | # | 111 | # |
| 112 | #·Stop·r | 112 | #·Stop·rsh.socket·if·currently·running |
| 113 | # | 113 | # |
| 114 | systemctl·stop·r | 114 | systemctl·stop·rsh.socket |
| 115 | #·END·fix·for·'service_r | 115 | #·END·fix·for·'service_rsh_disabled' |
| 116 | ############################################################################### | 116 | ############################################################################### |
| 117 | #·BEGIN·fix·(4·/·358)·for·'service_r | 117 | #·BEGIN·fix·(4·/·358)·for·'service_rexec_disabled' |
| 118 | ############################################################################### | 118 | ############################################################################### |
| 119 | (>&2·echo·"Remediating·rule·4/358:·'service_r | 119 | (>&2·echo·"Remediating·rule·4/358:·'service_rexec_disabled'") |
| 120 | grep·-qi·disable·/etc/xinetd.d/r | 120 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 121 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 121 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 122 | # | 122 | # |
| 123 | #·Disable·r | 123 | #·Disable·rexec.socket·for·all·systemd·targets |
| 124 | # | 124 | # |
| 125 | systemctl·disable·r | 125 | systemctl·disable·rexec.socket |
| 126 | # | 126 | # |
| 127 | #·Stop·r | 127 | #·Stop·rexec.socket·if·currently·running |
| 128 | # | 128 | # |
| 129 | systemctl·stop·r | 129 | systemctl·stop·rexec.socket |
| 130 | #·END·fix·for·'service_r | 130 | #·END·fix·for·'service_rexec_disabled' |
| 131 | ############################################################################### | 131 | ############################################################################### |
| 132 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' | 132 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") | 134 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") |
| 135 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 135 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 136 | # | 136 | # |
| Offset 3080, 17 lines modified | Offset 3080, 113 lines modified | ||
| 3080 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' | 3080 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' |
| 3081 | ############################################################################### | 3081 | ############################################################################### |
| 3082 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") | 3082 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") |
| 3083 | #·FIX·FOR·THIS·RULE·IS·MISSING | 3083 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 3084 | #·END·fix·for·'rsyslog_nolisten' | 3084 | #·END·fix·for·'rsyslog_nolisten' |
| 3085 | ############################################################################### | 3085 | ############################################################################### |
| 3086 | #·BEGIN·fix·(59·/·358)·for·'s | 3086 | #·BEGIN·fix·(59·/·358)·for·'set_firewalld_default_zone' |
| 3087 | ############################################################################### | ||
| 3088 | (>&2·echo·"Remediating·rule·59/358:·'set_firewalld_default_zone'") | ||
| 3089 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 3090 | #·END·fix·for·'set_firewalld_default_zone' | ||
| 3091 | ############################################################################### | ||
| 3092 | #·BEGIN·fix·(60·/·358)·for·'service_firewalld_enabled' | ||
| 3093 | ############################################################################### | ||
| 3094 | (>&2·echo·"Remediating·rule·60/358:·'service_firewalld_enabled'") | ||
| 3095 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 3096 | # | ||
| 3097 | #·Example·Call(s): | ||
| 3098 | # | ||
| 3099 | #·····service_command·enable·bluetooth | ||
| 3100 | #·····service_command·disable·bluetooth.service | ||
| 3101 | # | ||
| 3102 | #·····Using·xinetd: | ||
| 3103 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 3104 | # | ||
| 3105 | function·service_command·{ | ||
| 3106 | #·Load·function·arguments·into·local·variables | ||
| 3107 | local·service_state=$1 | ||
| 3108 | local·service=$2 | ||
| 3109 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 3110 | #·Check·sanity·of·the·input | ||
| 3111 | if·[·$#·-lt·"2"·] | ||
| 3112 | then | ||
| 3113 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 3114 | ··echo | ||
| 3115 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 3116 | ··echo·"as·the·last·argument"·· | ||
| 3117 | ··echo·"Aborting." | ||
| 3118 | ··exit·1 | ||
| 3119 | fi | ||
| 3120 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 3121 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 3122 | ··service_util="/usr/bin/systemctl" | ||
| 3123 | else | ||
| 3124 | ··service_util="/sbin/service" | ||
| 3125 | ··chkconfig_util="/sbin/chkconfig" | ||
| 3126 | fi | ||
| 3127 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 3128 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 3129 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 3130 | ··service_state="enable" | ||
| 3131 | ··service_operation="start" | ||
| 3132 | ··chkconfig_state="on" | ||
| 3133 | else | ||
| 3134 | ··service_state="disable" | ||
| 3135 | ··service_operation="stop" | ||
| 3136 | ··chkconfig_state="off" | ||
| 3137 | fi | ||
| 3138 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 3139 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 3140 | ··$service_util·$service·$service_operation | ||
| 3141 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 3142 | else | ||
| 3143 | ··$service_util·$service_operation·$service | ||
| 3144 | ··$service_util·$service_state·$service | ||
| 3145 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 3146 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 3147 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 3148 | ··$service_util·reset-failed·$service | ||
| 3149 | fi | ||
| Max diff block lines reached; 244908/250997 bytes (97.57%) of diff not shown. | |||
| Offset 107, 48 lines modified | Offset 107, 48 lines modified | ||
| 107 | # | 107 | # |
| 108 | #·Stop·rlogin.socket·if·currently·running | 108 | #·Stop·rlogin.socket·if·currently·running |
| 109 | # | 109 | # |
| 110 | systemctl·stop·rlogin.socket | 110 | systemctl·stop·rlogin.socket |
| 111 | #·END·fix·for·'service_rlogin_disabled' | 111 | #·END·fix·for·'service_rlogin_disabled' |
| 112 | ############################################################################### | 112 | ############################################################################### |
| 113 | #·BEGIN·fix·(3·/·358)·for·'service_r | 113 | #·BEGIN·fix·(3·/·358)·for·'service_rsh_disabled' |
| 114 | ############################################################################### | 114 | ############################################################################### |
| 115 | (>&2·echo·"Remediating·rule·3/358:·'service_r | 115 | (>&2·echo·"Remediating·rule·3/358:·'service_rsh_disabled'") |
| 116 | grep·-qi·disable·/etc/xinetd.d/r | 116 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 117 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 117 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 118 | # | 118 | # |
| 119 | #·Disable·r | 119 | #·Disable·rsh.socket·for·all·systemd·targets |
| 120 | # | 120 | # |
| 121 | systemctl·disable·r | 121 | systemctl·disable·rsh.socket |
| 122 | # | 122 | # |
| 123 | #·Stop·r | 123 | #·Stop·rsh.socket·if·currently·running |
| 124 | # | 124 | # |
| 125 | systemctl·stop·r | 125 | systemctl·stop·rsh.socket |
| 126 | #·END·fix·for·'service_r | 126 | #·END·fix·for·'service_rsh_disabled' |
| 127 | ############################################################################### | 127 | ############################################################################### |
| 128 | #·BEGIN·fix·(4·/·358)·for·'service_r | 128 | #·BEGIN·fix·(4·/·358)·for·'service_rexec_disabled' |
| 129 | ############################################################################### | 129 | ############################################################################### |
| 130 | (>&2·echo·"Remediating·rule·4/358:·'service_r | 130 | (>&2·echo·"Remediating·rule·4/358:·'service_rexec_disabled'") |
| 131 | grep·-qi·disable·/etc/xinetd.d/r | 131 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 132 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 132 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 133 | # | 133 | # |
| 134 | #·Disable·r | 134 | #·Disable·rexec.socket·for·all·systemd·targets |
| 135 | # | 135 | # |
| 136 | systemctl·disable·r | 136 | systemctl·disable·rexec.socket |
| 137 | # | 137 | # |
| 138 | #·Stop·r | 138 | #·Stop·rexec.socket·if·currently·running |
| 139 | # | 139 | # |
| 140 | systemctl·stop·r | 140 | systemctl·stop·rexec.socket |
| 141 | #·END·fix·for·'service_r | 141 | #·END·fix·for·'service_rexec_disabled' |
| 142 | ############################################################################### | 142 | ############################################################################### |
| 143 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' | 143 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") | 145 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") |
| 146 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 146 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 147 | # | 147 | # |
| Offset 3091, 17 lines modified | Offset 3091, 113 lines modified | ||
| 3091 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' | 3091 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' |
| 3092 | ############################################################################### | 3092 | ############################################################################### |
| 3093 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") | 3093 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") |
| 3094 | #·FIX·FOR·THIS·RULE·IS·MISSING | 3094 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 3095 | #·END·fix·for·'rsyslog_nolisten' | 3095 | #·END·fix·for·'rsyslog_nolisten' |
| 3096 | ############################################################################### | 3096 | ############################################################################### |
| 3097 | #·BEGIN·fix·(59·/·358)·for·'s | 3097 | #·BEGIN·fix·(59·/·358)·for·'set_firewalld_default_zone' |
| 3098 | ############################################################################### | ||
| 3099 | (>&2·echo·"Remediating·rule·59/358:·'set_firewalld_default_zone'") | ||
| 3100 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 3101 | #·END·fix·for·'set_firewalld_default_zone' | ||
| 3102 | ############################################################################### | ||
| 3103 | #·BEGIN·fix·(60·/·358)·for·'service_firewalld_enabled' | ||
| 3104 | ############################################################################### | ||
| 3105 | (>&2·echo·"Remediating·rule·60/358:·'service_firewalld_enabled'") | ||
| 3106 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 3107 | # | ||
| 3108 | #·Example·Call(s): | ||
| 3109 | # | ||
| 3110 | #·····service_command·enable·bluetooth | ||
| 3111 | #·····service_command·disable·bluetooth.service | ||
| 3112 | # | ||
| 3113 | #·····Using·xinetd: | ||
| 3114 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 3115 | # | ||
| 3116 | function·service_command·{ | ||
| 3117 | #·Load·function·arguments·into·local·variables | ||
| 3118 | local·service_state=$1 | ||
| 3119 | local·service=$2 | ||
| 3120 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 3121 | #·Check·sanity·of·the·input | ||
| 3122 | if·[·$#·-lt·"2"·] | ||
| 3123 | then | ||
| 3124 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 3125 | ··echo | ||
| 3126 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 3127 | ··echo·"as·the·last·argument"·· | ||
| 3128 | ··echo·"Aborting." | ||
| 3129 | ··exit·1 | ||
| 3130 | fi | ||
| 3131 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 3132 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 3133 | ··service_util="/usr/bin/systemctl" | ||
| 3134 | else | ||
| 3135 | ··service_util="/sbin/service" | ||
| 3136 | ··chkconfig_util="/sbin/chkconfig" | ||
| 3137 | fi | ||
| 3138 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 3139 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 3140 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 3141 | ··service_state="enable" | ||
| 3142 | ··service_operation="start" | ||
| 3143 | ··chkconfig_state="on" | ||
| 3144 | else | ||
| 3145 | ··service_state="disable" | ||
| 3146 | ··service_operation="stop" | ||
| 3147 | ··chkconfig_state="off" | ||
| 3148 | fi | ||
| 3149 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 3150 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 3151 | ··$service_util·$service·$service_operation | ||
| 3152 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 3153 | else | ||
| 3154 | ··$service_util·$service_operation·$service | ||
| 3155 | ··$service_util·$service_state·$service | ||
| 3156 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 3157 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 3158 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 3159 | ··$service_util·reset-failed·$service | ||
| 3160 | fi | ||
| Max diff block lines reached; 244908/250999 bytes (97.57%) of diff not shown. | |||
| Offset 376, 31 lines modified | Offset 376, 38 lines modified | ||
| 376 | ··fi | 376 | ··fi |
| 377 | } | 377 | } |
| 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' | 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 379 | #·END·fix·for·'sshd_set_idle_timeout' | 379 | #·END·fix·for·'sshd_set_idle_timeout' |
| 380 | ############################################################################### | 380 | ############################################################################### |
| 381 | #·BEGIN·fix·(5·/·94)·for·' | 381 | #·BEGIN·fix·(5·/·94)·for·'ensure_logrotate_activated' |
| 382 | ############################################################################### | 382 | ############################################################################### |
| 383 | (>&2·echo·"Remediating·rule·5/94:·' | 383 | (>&2·echo·"Remediating·rule·5/94:·'ensure_logrotate_activated'") |
| 384 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 385 | #·END·fix·for·'rsyslog_files_groupownership' | ||
| 386 | 384 | LOGROTATE_CONF_FILE="/etc/logrotate.conf" | |
| 387 | 385 | CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" | |
| 388 | ############################################################################### | ||
| 389 | 386 | #·daily·rotation·is·configured | |
| 390 | 387 | grep·-q·"^daily$"·$LOGROTATE_CONF_FILE||·echo·"daily"·>>·$LOGROTATE_CONF_FILE | |
| 391 | #·END·fix·for·'rsyslog_files_ownership' | ||
| 388 | #·remove·any·line·configuring·weekly,·monthly·or·yearly·rotation | ||
| 389 | sed·-i·-r·"/^(weekly|monthly|yearly)$/d"·$LOGROTATE_CONF_FILE | ||
| 390 | #·configure·cron.daily·if·not·already | ||
| 391 | if·!·grep·-q·"^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$"·$CRON_DAILY_LOGROTATE_FILE;·then | ||
| 392 | » echo·"#!/bin/sh"·>·$CRON_DAILY_LOGROTATE_FILE | ||
| 393 | » echo·"/usr/sbin/logrotate·$LOGROTATE_CONF_FILE"·>>·$CRON_DAILY_LOGROTATE_FILE | ||
| 394 | fi | ||
| 395 | #·END·fix·for·'ensure_logrotate_activated' | ||
| 392 | ############################################################################### | 396 | ############################################################################### |
| 393 | #·BEGIN·fix·( | 397 | #·BEGIN·fix·(6·/·94)·for·'rsyslog_files_permissions' |
| 394 | ############################################################################### | 398 | ############################################################################### |
| 395 | (>&2·echo·"Remediating·rule· | 399 | (>&2·echo·"Remediating·rule·6/94:·'rsyslog_files_permissions'") |
| 396 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions | 400 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions |
| 397 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf | 401 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf |
| 398 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" | 402 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" |
| 399 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive | 403 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive |
| 400 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) | 404 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) |
| 401 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) | 405 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) |
| Offset 449, 33 lines modified | Offset 456, 26 lines modified | ||
| 449 | » then | 456 | » then |
| 450 | » » /bin/chmod·600·"$PATH" | 457 | » » /bin/chmod·600·"$PATH" |
| 451 | » fi | 458 | » fi |
| 452 | done | 459 | done |
| 453 | #·END·fix·for·'rsyslog_files_permissions' | 460 | #·END·fix·for·'rsyslog_files_permissions' |
| 454 | ############################################################################### | 461 | ############################################################################### |
| 455 | #·BEGIN·fix·( | 462 | #·BEGIN·fix·(7·/·94)·for·'rsyslog_files_ownership' |
| 456 | ############################################################################### | 463 | ############################################################################### |
| 457 | (>&2·echo·"Remediating·rule· | 464 | (>&2·echo·"Remediating·rule·7/94:·'rsyslog_files_ownership'") |
| 465 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 458 | 466 | #·END·fix·for·'rsyslog_files_ownership' | |
| 459 | CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" | ||
| 460 | #·daily·rotation·is·configured | ||
| 461 | grep·-q·"^daily$"·$LOGROTATE_CONF_FILE||·echo·"daily"·>>·$LOGROTATE_CONF_FILE | ||
| 462 | #·remove·any·line·configuring·weekly,·monthly·or·yearly·rotation | ||
| 463 | sed·-i·-r·"/^(weekly|monthly|yearly)$/d"·$LOGROTATE_CONF_FILE | ||
| 464 | # | 467 | ############################################################################### |
| 465 | 468 | #·BEGIN·fix·(8·/·94)·for·'rsyslog_files_groupownership' | |
| 466 | 469 | ############################################################################### | |
| 467 | 470 | (>&2·echo·"Remediating·rule·8/94:·'rsyslog_files_groupownership'") | |
| 468 | 471 | #·FIX·FOR·THIS·RULE·IS·MISSING | |
| 469 | #·END·fix·for·' | 472 | #·END·fix·for·'rsyslog_files_groupownership' |
| 470 | ############################################################################### | 473 | ############################################################################### |
| 471 | #·BEGIN·fix·(9·/·94)·for·'package_libreswan_installed' | 474 | #·BEGIN·fix·(9·/·94)·for·'package_libreswan_installed' |
| 472 | ############################################################################### | 475 | ############################################################################### |
| 473 | (>&2·echo·"Remediating·rule·9/94:·'package_libreswan_installed'") | 476 | (>&2·echo·"Remediating·rule·9/94:·'package_libreswan_installed'") |
| 474 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 477 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 475 | # | 478 | # |
| Offset 528, 24 lines modified | Offset 528, 46 lines modified | ||
| 528 | ··sed·-i·"s/PASS_MAX_DAYS.*/PASS_MAX_DAYS·····$var_accounts_maximum_age_login_defs/g"·/etc/login.defs | 528 | ··sed·-i·"s/PASS_MAX_DAYS.*/PASS_MAX_DAYS·····$var_accounts_maximum_age_login_defs/g"·/etc/login.defs |
| 529 | if·!·[·$?·-eq·0·];·then | 529 | if·!·[·$?·-eq·0·];·then |
| 530 | ····echo·"PASS_MAX_DAYS······$var_accounts_maximum_age_login_defs"·>>·/etc/login.defs | 530 | ····echo·"PASS_MAX_DAYS······$var_accounts_maximum_age_login_defs"·>>·/etc/login.defs |
| 531 | fi | 531 | fi |
| 532 | #·END·fix·for·'accounts_maximum_age_login_defs' | 532 | #·END·fix·for·'accounts_maximum_age_login_defs' |
| 533 | ############################################################################### | 533 | ############################################################################### |
| 534 | #·BEGIN·fix·(11·/·94)·for·' | 534 | #·BEGIN·fix·(11·/·94)·for·'no_empty_passwords' |
| 535 | ############################################################################### | 535 | ############################################################################### |
| 536 | (>&2·echo·"Remediating·rule·11/94:·' | 536 | (>&2·echo·"Remediating·rule·11/94:·'no_empty_passwords'") |
| 537 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth | ||
| 538 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | ||
| 539 | #·END·fix·for·'no_empty_passwords' | ||
| 540 | ############################################################################### | ||
| 541 | #·BEGIN·fix·(12·/·94)·for·'accounts_password_all_shadowed' | ||
| 542 | ############################################################################### | ||
| 543 | (>&2·echo·"Remediating·rule·12/94:·'accounts_password_all_shadowed'") | ||
| 544 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 545 | #·END·fix·for·'accounts_password_all_shadowed' | ||
| 546 | ############################################################################### | ||
| 547 | #·BEGIN·fix·(13·/·94)·for·'gid_passwd_group_same' | ||
| 548 | ############################################################################### | ||
| 549 | (>&2·echo·"Remediating·rule·13/94:·'gid_passwd_group_same'") | ||
| 550 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 551 | #·END·fix·for·'gid_passwd_group_same' | ||
| 552 | ############################################################################### | ||
| 553 | #·BEGIN·fix·(14·/·94)·for·'account_unique_name' | ||
| 554 | ############################################################################### | ||
| 555 | (>&2·echo·"Remediating·rule·14/94:·'account_unique_name'") | ||
| 537 | #·FIX·FOR·THIS·RULE·IS·MISSING | 556 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 538 | #·END·fix·for·'account_unique_name' | 557 | #·END·fix·for·'account_unique_name' |
| 539 | ############################################################################### | 558 | ############################################################################### |
| 540 | #·BEGIN·fix·(1 | 559 | #·BEGIN·fix·(15·/·94)·for·'account_disable_post_pw_expiration' |
| 541 | ############################################################################### | 560 | ############################################################################### |
| 542 | (>&2·echo·"Remediating·rule·1 | 561 | (>&2·echo·"Remediating·rule·15/94:·'account_disable_post_pw_expiration'") |
| 543 | var_account_disable_post_pw_expiration="90" | 562 | var_account_disable_post_pw_expiration="90" |
| 544 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 563 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 545 | #·it·does·not·exist. | 564 | #·it·does·not·exist. |
| 546 | # | 565 | # |
| 547 | #·Expects·arguments: | 566 | #·Expects·arguments: |
| 548 | # | 567 | # |
| Offset 622, 71 lines modified | Offset 644, 49 lines modified | ||
| 622 | ··fi | 644 | ··fi |
| 623 | } | 645 | } |
| 624 | replace_or_append·'/etc/default/useradd'·'^INACTIVE'·"$var_account_disable_post_pw_expiration"·'CCE-27355-7'·'%s=%s' | 646 | replace_or_append·'/etc/default/useradd'·'^INACTIVE'·"$var_account_disable_post_pw_expiration"·'CCE-27355-7'·'%s=%s' |
| 625 | #·END·fix·for·'account_disable_post_pw_expiration' | 647 | #·END·fix·for·'account_disable_post_pw_expiration' |
| Max diff block lines reached; 67060/74413 bytes (90.12%) of diff not shown. | |||
| Offset 1299, 26 lines modified | Offset 1299, 26 lines modified | ||
| 1299 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs | 1299 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs |
| 1300 | if·!·[·$?·-eq·0·];·then | 1300 | if·!·[·$?·-eq·0·];·then |
| 1301 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs | 1301 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs |
| 1302 | fi | 1302 | fi |
| 1303 | #·END·fix·for·'accounts_minimum_age_login_defs' | 1303 | #·END·fix·for·'accounts_minimum_age_login_defs' |
| 1304 | ############################################################################### | 1304 | ############################################################################### |
| 1305 | #·BEGIN·fix·(25·/·70)·for·' | 1305 | #·BEGIN·fix·(25·/·70)·for·'accounts_no_uid_except_zero' |
| 1306 | ############################################################################### | 1306 | ############################################################################### |
| 1307 | (>&2·echo·"Remediating·rule·25/70:·' | 1307 | (>&2·echo·"Remediating·rule·25/70:·'accounts_no_uid_except_zero'") |
| 1308 | 1308 | awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | |
| 1309 | #·END·fix·for·' | 1309 | #·END·fix·for·'accounts_no_uid_except_zero' |
| 1310 | ############################################################################### | 1310 | ############################################################################### |
| 1311 | #·BEGIN·fix·(26·/·70)·for·' | 1311 | #·BEGIN·fix·(26·/·70)·for·'no_shelllogin_for_systemaccounts' |
| 1312 | ############################################################################### | 1312 | ############################################################################### |
| 1313 | (>&2·echo·"Remediating·rule·26/70:·' | 1313 | (>&2·echo·"Remediating·rule·26/70:·'no_shelllogin_for_systemaccounts'") |
| 1314 | 1314 | #·FIX·FOR·THIS·RULE·IS·MISSING | |
| 1315 | #·END·fix·for·' | 1315 | #·END·fix·for·'no_shelllogin_for_systemaccounts' |
| 1316 | ############################################################################### | 1316 | ############################################################################### |
| 1317 | #·BEGIN·fix·(27·/·70)·for·'no_empty_passwords' | 1317 | #·BEGIN·fix·(27·/·70)·for·'no_empty_passwords' |
| 1318 | ############################################################################### | 1318 | ############################################################################### |
| 1319 | (>&2·echo·"Remediating·rule·27/70:·'no_empty_passwords'") | 1319 | (>&2·echo·"Remediating·rule·27/70:·'no_empty_passwords'") |
| 1320 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth | 1320 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth |
| 1321 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | 1321 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth |
| Offset 1340, 37 lines modified | Offset 1340, 37 lines modified | ||
| 1340 | else | 1340 | else |
| 1341 | » echo·""·>>·/etc/login.defs | 1341 | » echo·""·>>·/etc/login.defs |
| 1342 | » echo·"ENCRYPT_METHOD·SHA512"·>>·/etc/login.defs | 1342 | » echo·"ENCRYPT_METHOD·SHA512"·>>·/etc/login.defs |
| 1343 | fi | 1343 | fi |
| 1344 | #·END·fix·for·'set_password_hashing_algorithm_logindefs' | 1344 | #·END·fix·for·'set_password_hashing_algorithm_logindefs' |
| 1345 | ############################################################################### | 1345 | ############################################################################### |
| 1346 | #·BEGIN·fix·(30·/·70)·for·'set_password_hashing_algorithm_ | 1346 | #·BEGIN·fix·(30·/·70)·for·'set_password_hashing_algorithm_systemauth' |
| 1347 | ############################################################################### | 1347 | ############################################################################### |
| 1348 | (>&2·echo·"Remediating·rule·30/70:·'set_password_hashing_algorithm_ | 1348 | (>&2·echo·"Remediating·rule·30/70:·'set_password_hashing_algorithm_systemauth'") |
| 1349 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 1350 | #·END·fix·for·'set_password_hashing_algorithm_libuserconf' | ||
| 1351 | ############################################################################### | ||
| 1352 | #·BEGIN·fix·(31·/·70)·for·'set_password_hashing_algorithm_systemauth' | ||
| 1353 | ############################################################################### | ||
| 1354 | (>&2·echo·"Remediating·rule·31/70:·'set_password_hashing_algorithm_systemauth'") | ||
| 1355 | AUTH_FILES[0]="/etc/pam.d/system-auth" | 1349 | AUTH_FILES[0]="/etc/pam.d/system-auth" |
| 1356 | AUTH_FILES[1]="/etc/pam.d/password-auth" | 1350 | AUTH_FILES[1]="/etc/pam.d/password-auth" |
| 1357 | for·pamFile·in·"${AUTH_FILES[@]}" | 1351 | for·pamFile·in·"${AUTH_FILES[@]}" |
| 1358 | do | 1352 | do |
| 1359 | » if·!·grep·-q·"^password.*sufficient.*pam_unix.so.*sha512"·$pamFile;·then | 1353 | » if·!·grep·-q·"^password.*sufficient.*pam_unix.so.*sha512"·$pamFile;·then |
| 1360 | » » sed·-i·--follow-symlinks·"/^password.*sufficient.*pam_unix.so/·s/$/·sha512/"·$pamFile | 1354 | » » sed·-i·--follow-symlinks·"/^password.*sufficient.*pam_unix.so/·s/$/·sha512/"·$pamFile |
| 1361 | » fi | 1355 | » fi |
| 1362 | done | 1356 | done |
| 1363 | #·END·fix·for·'set_password_hashing_algorithm_systemauth' | 1357 | #·END·fix·for·'set_password_hashing_algorithm_systemauth' |
| 1364 | ############################################################################### | 1358 | ############################################################################### |
| 1359 | #·BEGIN·fix·(31·/·70)·for·'set_password_hashing_algorithm_libuserconf' | ||
| 1360 | ############################################################################### | ||
| 1361 | (>&2·echo·"Remediating·rule·31/70:·'set_password_hashing_algorithm_libuserconf'") | ||
| 1362 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 1363 | #·END·fix·for·'set_password_hashing_algorithm_libuserconf' | ||
| 1364 | ############################################################################### | ||
| 1365 | #·BEGIN·fix·(32·/·70)·for·'accounts_password_pam_unix_remember' | 1365 | #·BEGIN·fix·(32·/·70)·for·'accounts_password_pam_unix_remember' |
| 1366 | ############################################################################### | 1366 | ############################################################################### |
| 1367 | (>&2·echo·"Remediating·rule·32/70:·'accounts_password_pam_unix_remember'") | 1367 | (>&2·echo·"Remediating·rule·32/70:·'accounts_password_pam_unix_remember'") |
| 1368 | var_password_pam_unix_remember="5" | 1368 | var_password_pam_unix_remember="5" |
| 1369 | AUTH_FILES[0]="/etc/pam.d/system-auth" | 1369 | AUTH_FILES[0]="/etc/pam.d/system-auth" |
| Offset 1946, 51 lines modified | Offset 1946, 52 lines modified | ||
| 1946 | grep·-q·"^ExecStart=\-.*/sbin/sulogin"·/usr/lib/systemd/system/rescue.service | 1946 | grep·-q·"^ExecStart=\-.*/sbin/sulogin"·/usr/lib/systemd/system/rescue.service |
| 1947 | if·!·[·$?·-eq·0·];·then | 1947 | if·!·[·$?·-eq·0·];·then |
| 1948 | ····sed·-i·"s/ExecStart=-.*-c·\"/&\/sbin\/sulogin;·/g"·/usr/lib/systemd/system/rescue.service | 1948 | ····sed·-i·"s/ExecStart=-.*-c·\"/&\/sbin\/sulogin;·/g"·/usr/lib/systemd/system/rescue.service |
| 1949 | fi | 1949 | fi |
| 1950 | #·END·fix·for·'require_singleuser_auth' | 1950 | #·END·fix·for·'require_singleuser_auth' |
| 1951 | ############################################################################### | 1951 | ############################################################################### |
| 1952 | #·BEGIN·fix·(45·/·70)·for·' | 1952 | #·BEGIN·fix·(45·/·70)·for·'file_permissions_etc_shadow' |
| 1953 | ############################################################################### | ||
| 1954 | (>&2·echo·"Remediating·rule·45/70:·'userowner_shadow_file'") | ||
| 1955 | chown·root·/etc/shadow | ||
| 1956 | #·END·fix·for·'userowner_shadow_file' | ||
| 1957 | ############################################################################### | 1953 | ############################################################################### |
| 1958 | 1954 | (>&2·echo·"Remediating·rule·45/70:·'file_permissions_etc_shadow'") | |
| 1959 | ############################################################################### | ||
| 1960 | (>&2·echo·"Remediating·rule·46/70:·'file_permissions_etc_shadow'") | ||
| 1961 | chmod·0000·/etc/shadow | 1955 | chmod·0000·/etc/shadow |
| 1962 | #·END·fix·for·'file_permissions_etc_shadow' | 1956 | #·END·fix·for·'file_permissions_etc_shadow' |
| 1963 | ############################################################################### | 1957 | ############################################################################### |
| 1964 | #·BEGIN·fix·(4 | 1958 | #·BEGIN·fix·(46·/·70)·for·'groupowner_shadow_file' |
| 1965 | ############################################################################### | 1959 | ############################################################################### |
| 1966 | (>&2·echo·"Remediating·rule·4 | 1960 | (>&2·echo·"Remediating·rule·46/70:·'groupowner_shadow_file'") |
| 1967 | chgrp·root·/etc/shadow | 1961 | chgrp·root·/etc/shadow |
| 1968 | #·END·fix·for·'groupowner_shadow_file' | 1962 | #·END·fix·for·'groupowner_shadow_file' |
| 1969 | ############################################################################### | 1963 | ############################################################################### |
| 1970 | #·BEGIN·fix·(4 | 1964 | #·BEGIN·fix·(47·/·70)·for·'file_owner_etc_group' |
| 1971 | ############################################################################### | 1965 | ############################################################################### |
| 1972 | (>&2·echo·"Remediating·rule·4 | 1966 | (>&2·echo·"Remediating·rule·47/70:·'file_owner_etc_group'") |
| 1973 | chown·root·/etc/group | 1967 | chown·root·/etc/group |
| 1974 | #·END·fix·for·'file_owner_etc_group' | 1968 | #·END·fix·for·'file_owner_etc_group' |
| 1975 | ############################################################################### | 1969 | ############################################################################### |
| 1976 | #·BEGIN·fix·(4 | 1970 | #·BEGIN·fix·(48·/·70)·for·'file_permissions_etc_group' |
| 1977 | ############################################################################### | 1971 | ############################################################################### |
| 1978 | (>&2·echo·"Remediating·rule·4 | 1972 | (>&2·echo·"Remediating·rule·48/70:·'file_permissions_etc_group'") |
| 1979 | chmod·0644·/etc/group | 1973 | chmod·0644·/etc/group |
| 1980 | #·END·fix·for·'file_permissions_etc_group' | 1974 | #·END·fix·for·'file_permissions_etc_group' |
| 1981 | ############################################################################### | 1975 | ############################################################################### |
| 1976 | #·BEGIN·fix·(49·/·70)·for·'file_groupowner_etc_passwd' | ||
| 1977 | ############################################################################### | ||
| 1978 | (>&2·echo·"Remediating·rule·49/70:·'file_groupowner_etc_passwd'") | ||
| 1979 | chgrp·root·/etc/passwd | ||
| 1980 | #·END·fix·for·'file_groupowner_etc_passwd' | ||
| 1981 | ############################################################################### | ||
| 1982 | #·BEGIN·fix·(50·/·70)·for·'file_groupowner_etc_gshadow' | 1982 | #·BEGIN·fix·(50·/·70)·for·'file_groupowner_etc_gshadow' |
| 1983 | ############################################################################### | 1983 | ############################################################################### |
| 1984 | (>&2·echo·"Remediating·rule·50/70:·'file_groupowner_etc_gshadow'") | 1984 | (>&2·echo·"Remediating·rule·50/70:·'file_groupowner_etc_gshadow'") |
| Max diff block lines reached; 1167/8456 bytes (13.80%) of diff not shown. | |||
| Offset 681, 99 lines modified | Offset 681, 17 lines modified | ||
| 681 | #·BEGIN·fix·(14·/·51)·for·'dir_perms_world_writable_sticky_bits' | 681 | #·BEGIN·fix·(14·/·51)·for·'dir_perms_world_writable_sticky_bits' |
| 682 | ############################################################################### | 682 | ############################################################################### |
| 683 | (>&2·echo·"Remediating·rule·14/51:·'dir_perms_world_writable_sticky_bits'") | 683 | (>&2·echo·"Remediating·rule·14/51:·'dir_perms_world_writable_sticky_bits'") |
| 684 | #·FIX·FOR·THIS·RULE·IS·MISSING | 684 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 685 | #·END·fix·for·'dir_perms_world_writable_sticky_bits' | 685 | #·END·fix·for·'dir_perms_world_writable_sticky_bits' |
| 686 | ############################################################################### | 686 | ############################################################################### |
| 687 | #·BEGIN·fix·(15·/·51)·for·' | 687 | #·BEGIN·fix·(15·/·51)·for·'mount_option_dev_shm_nosuid' |
| 688 | ############################################################################### | 688 | ############################################################################### |
| 689 | (>&2·echo·"Remediating·rule·15/51:·' | 689 | (>&2·echo·"Remediating·rule·15/51:·'mount_option_dev_shm_nosuid'") |
| 690 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 691 | # | ||
| 692 | #·Example·Call(s): | ||
| 693 | # | ||
| 694 | #·····service_command·enable·bluetooth | ||
| 695 | #·····service_command·disable·bluetooth.service | ||
| 696 | # | ||
| 697 | #·····Using·xinetd: | ||
| 698 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 699 | # | ||
| 700 | function·service_command·{ | ||
| 701 | #·Load·function·arguments·into·local·variables | ||
| 702 | local·service_state=$1 | ||
| 703 | local·service=$2 | ||
| 704 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 705 | #·Check·sanity·of·the·input | ||
| 706 | if·[·$#·-lt·"2"·] | ||
| 707 | then | ||
| 708 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 709 | ··echo | ||
| 710 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 711 | ··echo·"as·the·last·argument"·· | ||
| 712 | ··echo·"Aborting." | ||
| 713 | ··exit·1 | ||
| 714 | fi | ||
| 715 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 716 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 717 | ··service_util="/usr/bin/systemctl" | ||
| 718 | else | ||
| 719 | ··service_util="/sbin/service" | ||
| 720 | ··chkconfig_util="/sbin/chkconfig" | ||
| 721 | fi | ||
| 722 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 723 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 724 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 725 | ··service_state="enable" | ||
| 726 | ··service_operation="start" | ||
| 727 | ··chkconfig_state="on" | ||
| 728 | else | ||
| 729 | ··service_state="disable" | ||
| 730 | ··service_operation="stop" | ||
| 731 | ··chkconfig_state="off" | ||
| 732 | fi | ||
| 733 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 734 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 735 | ··$service_util·$service·$service_operation | ||
| 736 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 737 | else | ||
| 738 | ··$service_util·$service_operation·$service | ||
| 739 | ··$service_util·$service_state·$service | ||
| 740 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 741 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 742 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 743 | ··$service_util·reset-failed·$service | ||
| 744 | fi | ||
| 745 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 746 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 747 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 748 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 749 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 750 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 751 | ··else | ||
| 752 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 753 | ··fi | ||
| 754 | fi | ||
| 755 | } | ||
| 756 | service_command·disable·autofs | ||
| 757 | #·END·fix·for·'service_autofs_disabled' | ||
| 758 | ############################################################################### | ||
| 759 | #·BEGIN·fix·(16·/·51)·for·'mount_option_dev_shm_nosuid' | ||
| 760 | ############################################################################### | ||
| 761 | (>&2·echo·"Remediating·rule·16/51:·'mount_option_dev_shm_nosuid'") | ||
| 762 | function·include_mount_options_functions·{ | 690 | function·include_mount_options_functions·{ |
| 763 | » : | 691 | » : |
| 764 | } | 692 | } |
| 765 | #·$1:·mount·point | 693 | #·$1:·mount·point |
| 766 | #·$2:·new·mount·point·option | 694 | #·$2:·new·mount·point·option |
| 767 | function·ensure_mount_option_in_fstab·{ | 695 | function·ensure_mount_option_in_fstab·{ |
| Offset 828, 17 lines modified | Offset 746, 17 lines modified | ||
| 828 | ensure_mount_option_in_fstab·"/dev/shm"·"nosuid" | 746 | ensure_mount_option_in_fstab·"/dev/shm"·"nosuid" |
| 829 | ensure_partition_is_mounted·"/dev/shm" | 747 | ensure_partition_is_mounted·"/dev/shm" |
| 830 | #·END·fix·for·'mount_option_dev_shm_nosuid' | 748 | #·END·fix·for·'mount_option_dev_shm_nosuid' |
| 831 | ############################################################################### | 749 | ############################################################################### |
| 832 | #·BEGIN·fix·(1 | 750 | #·BEGIN·fix·(16·/·51)·for·'mount_option_dev_shm_nodev' |
| 833 | ############################################################################### | 751 | ############################################################################### |
| 834 | (>&2·echo·"Remediating·rule·1 | 752 | (>&2·echo·"Remediating·rule·16/51:·'mount_option_dev_shm_nodev'") |
| 835 | function·include_mount_options_functions·{ | 753 | function·include_mount_options_functions·{ |
| 836 | » : | 754 | » : |
| 837 | } | 755 | } |
| 838 | #·$1:·mount·point | 756 | #·$1:·mount·point |
| 839 | #·$2:·new·mount·point·option | 757 | #·$2:·new·mount·point·option |
| 840 | function·ensure_mount_option_in_fstab·{ | 758 | function·ensure_mount_option_in_fstab·{ |
| Offset 893, 14 lines modified | Offset 811, 96 lines modified | ||
| 893 | ensure_mount_option_in_fstab·"/dev/shm"·"nodev" | 811 | ensure_mount_option_in_fstab·"/dev/shm"·"nodev" |
| 894 | ensure_partition_is_mounted·"/dev/shm" | 812 | ensure_partition_is_mounted·"/dev/shm" |
| 895 | #·END·fix·for·'mount_option_dev_shm_nodev' | 813 | #·END·fix·for·'mount_option_dev_shm_nodev' |
| 896 | ############################################################################### | 814 | ############################################################################### |
| 815 | #·BEGIN·fix·(17·/·51)·for·'service_autofs_disabled' | ||
| 816 | ############################################################################### | ||
| Max diff block lines reached; 48602/55764 bytes (87.16%) of diff not shown. | |||
| Offset 28, 42 lines modified | Offset 28, 42 lines modified | ||
| 28 | # | 28 | # |
| 29 | #·How·to·apply·this·remediation·role: | 29 | #·How·to·apply·this·remediation·role: |
| 30 | #·$·sudo·./remediation-role.sh | 30 | #·$·sudo·./remediation-role.sh |
| 31 | # | 31 | # |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | ############################################################################### | 33 | ############################################################################### |
| 34 | #·BEGIN·fix·(1·/·243)·for·'no_host_based_files' | 34 | #·BEGIN·fix·(1·/·243)·for·'no_user_host_based_files' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | (>&2·echo·"Remediating·rule·1/243:·'no_host_based_files'") | 36 | (>&2·echo·"Remediating·rule·1/243:·'no_user_host_based_files'") |
| 37 | #·Identify·local·mounts | 37 | #·Identify·local·mounts |
| 38 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 38 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 39 | #·Find·file·on·each·listed·mount·point | 39 | #·Find·file·on·each·listed·mount·point |
| 40 | for·cur_mount·in·${MOUNT_LIST} | 40 | for·cur_mount·in·${MOUNT_LIST} |
| 41 | do | 41 | do |
| 42 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts | 42 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; |
| 43 | done | 43 | done |
| 44 | #·END·fix·for·'no_host_based_files' | 44 | #·END·fix·for·'no_user_host_based_files' |
| 45 | ############################################################################### | 45 | ############################################################################### |
| 46 | #·BEGIN·fix·(2·/·243)·for·'no_ | 46 | #·BEGIN·fix·(2·/·243)·for·'no_host_based_files' |
| 47 | ############################################################################### | 47 | ############################################################################### |
| 48 | (>&2·echo·"Remediating·rule·2/243:·'no_ | 48 | (>&2·echo·"Remediating·rule·2/243:·'no_host_based_files'") |
| 49 | #·Identify·local·mounts | 49 | #·Identify·local·mounts |
| 50 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 50 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 51 | #·Find·file·on·each·listed·mount·point | 51 | #·Find·file·on·each·listed·mount·point |
| 52 | for·cur_mount·in·${MOUNT_LIST} | 52 | for·cur_mount·in·${MOUNT_LIST} |
| 53 | do | 53 | do |
| 54 | » find·${cur_mount}·-xdev·-type·f·-name·" | 54 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; |
| 55 | done | 55 | done |
| 56 | #·END·fix·for·'no_ | 56 | #·END·fix·for·'no_host_based_files' |
| 57 | ############################################################################### | 57 | ############################################################################### |
| 58 | #·BEGIN·fix·(3·/·243)·for·'package_rsh-server_removed' | 58 | #·BEGIN·fix·(3·/·243)·for·'package_rsh-server_removed' |
| 59 | ############################################################################### | 59 | ############################################################################### |
| 60 | (>&2·echo·"Remediating·rule·3/243:·'package_rsh-server_removed'") | 60 | (>&2·echo·"Remediating·rule·3/243:·'package_rsh-server_removed'") |
| 61 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 61 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 62 | # | 62 | # |
| Offset 190, 24 lines modified | Offset 190, 17 lines modified | ||
| 190 | } | 190 | } |
| 191 | package_remove·ypserv | 191 | package_remove·ypserv |
| 192 | #·END·fix·for·'package_ypserv_removed' | 192 | #·END·fix·for·'package_ypserv_removed' |
| 193 | ############################################################################### | 193 | ############################################################################### |
| 194 | #·BEGIN·fix·(6·/·243)·for·'tftp | 194 | #·BEGIN·fix·(6·/·243)·for·'package_tftp-server_removed' |
| 195 | ############################################################################### | 195 | ############################################################################### |
| 196 | (>&2·echo·"Remediating·rule·6/243:·'tftp | 196 | (>&2·echo·"Remediating·rule·6/243:·'package_tftp-server_removed'") |
| 197 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 198 | #·END·fix·for·'tftpd_uses_secure_mode' | ||
| 199 | ############################################################################### | ||
| 200 | #·BEGIN·fix·(7·/·243)·for·'package_tftp-server_removed' | ||
| 201 | ############################################################################### | ||
| 202 | (>&2·echo·"Remediating·rule·7/243:·'package_tftp-server_removed'") | ||
| 203 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 197 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 204 | # | 198 | # |
| 205 | #·Example·Call(s): | 199 | #·Example·Call(s): |
| 206 | # | 200 | # |
| 207 | #·····package_remove·telnet-server | 201 | #·····package_remove·telnet-server |
| 208 | # | 202 | # |
| 209 | function·package_remove·{ | 203 | function·package_remove·{ |
| Offset 241, 14 lines modified | Offset 234, 21 lines modified | ||
| 241 | } | 234 | } |
| 242 | package_remove·tftp-server | 235 | package_remove·tftp-server |
| 243 | #·END·fix·for·'package_tftp-server_removed' | 236 | #·END·fix·for·'package_tftp-server_removed' |
| 244 | ############################################################################### | 237 | ############################################################################### |
| 238 | #·BEGIN·fix·(7·/·243)·for·'tftpd_uses_secure_mode' | ||
| 239 | ############################################################################### | ||
| 240 | (>&2·echo·"Remediating·rule·7/243:·'tftpd_uses_secure_mode'") | ||
| 241 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 242 | #·END·fix·for·'tftpd_uses_secure_mode' | ||
| 243 | ############################################################################### | ||
| 245 | #·BEGIN·fix·(8·/·243)·for·'package_vsftpd_removed' | 244 | #·BEGIN·fix·(8·/·243)·for·'package_vsftpd_removed' |
| 246 | ############################################################################### | 245 | ############################################################################### |
| 247 | (>&2·echo·"Remediating·rule·8/243:·'package_vsftpd_removed'") | 246 | (>&2·echo·"Remediating·rule·8/243:·'package_vsftpd_removed'") |
| 248 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 247 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 249 | # | 248 | # |
| 250 | #·Example·Call(s): | 249 | #·Example·Call(s): |
| 251 | # | 250 | # |
| Offset 475, 26 lines modified | Offset 475, 26 lines modified | ||
| 475 | » echo·"smtpd_client_restrictions·=·permit_mynetworks,reject"·>>·/etc/postfix/main.cf | 475 | » echo·"smtpd_client_restrictions·=·permit_mynetworks,reject"·>>·/etc/postfix/main.cf |
| 476 | else | 476 | else |
| 477 | » sed·-i·"s/^smtpd_client_restrictions.*/smtpd_client_restrictions·=·permit_mynetworks,reject/g"·/etc/postfix/main.cf | 477 | » sed·-i·"s/^smtpd_client_restrictions.*/smtpd_client_restrictions·=·permit_mynetworks,reject/g"·/etc/postfix/main.cf |
| 478 | fi | 478 | fi |
| 479 | #·END·fix·for·'postfix_prevent_unrestricted_relay' | 479 | #·END·fix·for·'postfix_prevent_unrestricted_relay' |
| 480 | ############################################################################### | 480 | ############################################################################### |
| 481 | #·BEGIN·fix·(20·/·243)·for·'mount_option_ | 481 | #·BEGIN·fix·(20·/·243)·for·'mount_option_noexec_remote_filesystems' |
| 482 | ############################################################################### | 482 | ############################################################################### |
| 483 | (>&2·echo·"Remediating·rule·20/243:·'mount_option_ | 483 | (>&2·echo·"Remediating·rule·20/243:·'mount_option_noexec_remote_filesystems'") |
| 484 | #·FIX·FOR·THIS·RULE·IS·MISSING | 484 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 485 | #·END·fix·for·'mount_option_ | 485 | #·END·fix·for·'mount_option_noexec_remote_filesystems' |
| 486 | ############################################################################### | 486 | ############################################################################### |
| 487 | #·BEGIN·fix·(21·/·243)·for·'mount_option_ | 487 | #·BEGIN·fix·(21·/·243)·for·'mount_option_krb_sec_remote_filesystems' |
| 488 | ############################################################################### | 488 | ############################################################################### |
| 489 | (>&2·echo·"Remediating·rule·21/243:·'mount_option_ | 489 | (>&2·echo·"Remediating·rule·21/243:·'mount_option_krb_sec_remote_filesystems'") |
| 490 | #·FIX·FOR·THIS·RULE·IS·MISSING | 490 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 491 | #·END·fix·for·'mount_option_ | 491 | #·END·fix·for·'mount_option_krb_sec_remote_filesystems' |
| 492 | ############################################################################### | 492 | ############################################################################### |
| 493 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' | 493 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' |
| 494 | ############################################################################### | 494 | ############################################################################### |
| 495 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") | 495 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") |
| 496 | #·FIX·FOR·THIS·RULE·IS·MISSING | 496 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 497 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' | 497 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' |
| Offset 2270, 128 lines modified | Offset 2270, 24 lines modified | ||
| 2270 | #·BEGIN·fix·(49·/·243)·for·'rsyslog_nolisten' | 2270 | #·BEGIN·fix·(49·/·243)·for·'rsyslog_nolisten' |
| 2271 | ############################################################################### | 2271 | ############################################################################### |
| 2272 | (>&2·echo·"Remediating·rule·49/243:·'rsyslog_nolisten'") | 2272 | (>&2·echo·"Remediating·rule·49/243:·'rsyslog_nolisten'") |
| 2273 | #·FIX·FOR·THIS·RULE·IS·MISSING | 2273 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 2274 | #·END·fix·for·'rsyslog_nolisten' | 2274 | #·END·fix·for·'rsyslog_nolisten' |
| 2275 | ############################################################################### | 2275 | ############################################################################### |
| 2276 | #·BEGIN·fix·(50·/·243)·for·'s | 2276 | #·BEGIN·fix·(50·/·243)·for·'set_firewalld_default_zone' |
| 2277 | ############################################################################### | ||
| 2278 | (>&2·echo·"Remediating·rule·50/243:·'sysctl_net_ipv6_conf_all_accept_source_route'") | ||
| Max diff block lines reached; 153301/163979 bytes (93.49%) of diff not shown. | |||
| Offset 18, 19 lines modified | Offset 18, 19 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·32)·for·'cinder_ | 24 | #·BEGIN·fix·(1·/·32)·for·'cinder_nova_tls' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/32:·'cinder_ | 26 | (>&2·echo·"Remediating·rule·1/32:·'cinder_nova_tls'") |
| 27 | openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT· | 27 | openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·nova_api_insecure·False |
| 28 | #·END·fix·for·'cinder_ | 28 | #·END·fix·for·'cinder_nova_tls' |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | #·BEGIN·fix·(2·/·32)·for·'cinder_nas_secure_file_permissions' | 30 | #·BEGIN·fix·(2·/·32)·for·'cinder_nas_secure_file_permissions' |
| 31 | ############################################################################### | 31 | ############################################################################### |
| 32 | (>&2·echo·"Remediating·rule·2/32:·'cinder_nas_secure_file_permissions'") | 32 | (>&2·echo·"Remediating·rule·2/32:·'cinder_nas_secure_file_permissions'") |
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | 33 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 34 | #·END·fix·for·'cinder_nas_secure_file_permissions' | 34 | #·END·fix·for·'cinder_nas_secure_file_permissions' |
| Offset 39, 157 lines modified | Offset 39, 157 lines modified | ||
| 39 | #·BEGIN·fix·(3·/·32)·for·'cinder_using_keystone' | 39 | #·BEGIN·fix·(3·/·32)·for·'cinder_using_keystone' |
| 40 | ############################################################################### | 40 | ############################################################################### |
| 41 | (>&2·echo·"Remediating·rule·3/32:·'cinder_using_keystone'") | 41 | (>&2·echo·"Remediating·rule·3/32:·'cinder_using_keystone'") |
| 42 | openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·auth_strategy·keystone | 42 | openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·auth_strategy·keystone |
| 43 | #·END·fix·for·'cinder_using_keystone' | 43 | #·END·fix·for·'cinder_using_keystone' |
| 44 | ############################################################################### | 44 | ############################################################################### |
| 45 | #·BEGIN·fix·(4·/·32)·for·'cinder_ | 45 | #·BEGIN·fix·(4·/·32)·for·'cinder_tls_enabled' |
| 46 | ############################################################################### | ||
| 47 | (>&2·echo·"Remediating·rule·4/32:·'cinder_file_perms'") | ||
| 48 | chmod·640·/etc/cinder/cinder.conf | ||
| 49 | chmod·640·/etc/cinder/api-paste.ini | ||
| 50 | chmod·640·/etc/cinder/policy.json | ||
| 51 | chmod·640·/etc/cinder/rootwrap.conf | ||
| 52 | #·END·fix·for·'cinder_file_perms' | ||
| 53 | ############################################################################### | 46 | ############################################################################### |
| 54 | 47 | (>&2·echo·"Remediating·rule·4/32:·'cinder_tls_enabled'") | |
| 55 | ############################################################################### | ||
| 56 | (>&2·echo·"Remediating·rule·5/32:·'cinder_tls_enabled'") | ||
| 57 | OLD_IDENTITY_URL=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri) | 48 | OLD_IDENTITY_URL=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri) |
| 58 | NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}" | 49 | NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}" |
| 59 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI | 50 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI |
| 60 | OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri) | 51 | OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri) |
| 61 | NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}" | 52 | NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}" |
| 62 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI | 53 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI |
| 63 | #·END·fix·for·'cinder_tls_enabled' | 54 | #·END·fix·for·'cinder_tls_enabled' |
| 64 | ############################################################################### | 55 | ############################################################################### |
| 65 | #·BEGIN·fix·( | 56 | #·BEGIN·fix·(5·/·32)·for·'cinder_file_perms' |
| 66 | ############################################################################### | 57 | ############################################################################### |
| 67 | (>&2·echo·"Remediating·rule· | 58 | (>&2·echo·"Remediating·rule·5/32:·'cinder_file_perms'") |
| 68 | 59 | chmod·640·/etc/cinder/cinder.conf | |
| 69 | 60 | chmod·640·/etc/cinder/api-paste.ini | |
| 61 | chmod·640·/etc/cinder/policy.json | ||
| 62 | chmod·640·/etc/cinder/rootwrap.conf | ||
| 63 | #·END·fix·for·'cinder_file_perms' | ||
| 70 | ############################################################################### | 64 | ############################################################################### |
| 71 | #·BEGIN·fix·( | 65 | #·BEGIN·fix·(6·/·32)·for·'cinder_file_ownership' |
| 72 | ############################################################################### | 66 | ############################################################################### |
| 73 | (>&2·echo·"Remediating·rule· | 67 | (>&2·echo·"Remediating·rule·6/32:·'cinder_file_ownership'") |
| 74 | for·file·in·/etc/cinder/cinder.conf·\ | 68 | for·file·in·/etc/cinder/cinder.conf·\ |
| 75 | » » /etc/cinder/api-paste.ini·\ | 69 | » » /etc/cinder/api-paste.ini·\ |
| 76 | » » /etc/cinder/policy.json·\ | 70 | » » /etc/cinder/policy.json·\ |
| 77 | » » /etc/cinder/rootwrap.conf;·do | 71 | » » /etc/cinder/rootwrap.conf;·do |
| 78 | » chown·root·$file | 72 | » chown·root·$file |
| 79 | » chgrp·cinder·$file | 73 | » chgrp·cinder·$file |
| 80 | done | 74 | done |
| 81 | #·END·fix·for·'cinder_file_ownership' | 75 | #·END·fix·for·'cinder_file_ownership' |
| 82 | ############################################################################### | 76 | ############################################################################### |
| 83 | #·BEGIN·fix·( | 77 | #·BEGIN·fix·(7·/·32)·for·'cinder_osapi_max_request_body' |
| 84 | ############################################################################### | 78 | ############################################################################### |
| 85 | (>&2·echo·"Remediating·rule· | 79 | (>&2·echo·"Remediating·rule·7/32:·'cinder_osapi_max_request_body'") |
| 86 | openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·osapi_max_request_body_size·114688 | 80 | openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·osapi_max_request_body_size·114688 |
| 87 | #·END·fix·for·'cinder_osapi_max_request_body' | 81 | #·END·fix·for·'cinder_osapi_max_request_body' |
| 88 | ############################################################################### | 82 | ############################################################################### |
| 89 | #·BEGIN·fix·( | 83 | #·BEGIN·fix·(8·/·32)·for·'cinder_glance_tls' |
| 84 | ############################################################################### | ||
| 85 | (>&2·echo·"Remediating·rule·8/32:·'cinder_glance_tls'") | ||
| 86 | openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·glance_api_insecure·False | ||
| 87 | #·END·fix·for·'cinder_glance_tls' | ||
| 88 | ############################################################################### | ||
| 89 | #·BEGIN·fix·(9·/·32)·for·'keystone_disable_admin_token' | ||
| 90 | ############################################################################### | ||
| 91 | (>&2·echo·"Remediating·rule·9/32:·'keystone_disable_admin_token'") | ||
| 92 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 93 | #·END·fix·for·'keystone_disable_admin_token' | ||
| 94 | ############################################################################### | ||
| 95 | #·BEGIN·fix·(10·/·32)·for·'keystone_file_ownership' | ||
| 96 | ############################################################################### | ||
| 97 | (>&2·echo·"Remediating·rule·10/32:·'keystone_file_ownership'") | ||
| 98 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 99 | #·END·fix·for·'keystone_file_ownership' | ||
| 100 | ############################################################################### | ||
| 101 | #·BEGIN·fix·(11·/·32)·for·'keystone_max_request_body_size' | ||
| 102 | ############################################################################### | ||
| 103 | (>&2·echo·"Remediating·rule·11/32:·'keystone_max_request_body_size'") | ||
| 104 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 105 | #·END·fix·for·'keystone_max_request_body_size' | ||
| 106 | ############################################################################### | ||
| 107 | #·BEGIN·fix·(12·/·32)·for·'keystone_algorithm_hashing' | ||
| 108 | ############################################################################### | ||
| 109 | (>&2·echo·"Remediating·rule·12/32:·'keystone_algorithm_hashing'") | ||
| 110 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 111 | #·END·fix·for·'keystone_algorithm_hashing' | ||
| 112 | ############################################################################### | ||
| 113 | #·BEGIN·fix·(13·/·32)·for·'keystone_file_perms' | ||
| 114 | ############################################################################### | ||
| 115 | (>&2·echo·"Remediating·rule·13/32:·'keystone_file_perms'") | ||
| 116 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 117 | #·END·fix·for·'keystone_file_perms' | ||
| 118 | ############################################################################### | ||
| 119 | #·BEGIN·fix·(14·/·32)·for·'keystone_use_ssl' | ||
| 120 | ############################################################################### | ||
| 121 | (>&2·echo·"Remediating·rule·14/32:·'keystone_use_ssl'") | ||
| 122 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 123 | #·END·fix·for·'keystone_use_ssl' | ||
| Max diff block lines reached; 5633/12951 bytes (43.49%) of diff not shown. | |||
| Offset 115, 61 lines modified | Offset 115, 17 lines modified | ||
| 115 | } | 115 | } |
| 116 | package_remove·httpd | 116 | package_remove·httpd |
| 117 | #·END·fix·for·'package_httpd_removed' | 117 | #·END·fix·for·'package_httpd_removed' |
| 118 | ############################################################################### | 118 | ############################################################################### |
| 119 | #·BEGIN·fix·(3·/·188)·for·' | 119 | #·BEGIN·fix·(3·/·188)·for·'service_ntpd_enabled' |
| 120 | ############################################################################### | 120 | ############################################################################### |
| 121 | (>&2·echo·"Remediating·rule·3/188:·' | 121 | (>&2·echo·"Remediating·rule·3/188:·'service_ntpd_enabled'") |
| 122 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 123 | # | ||
| 124 | #·Example·Call(s): | ||
| 125 | # | ||
| 126 | #·····package_remove·telnet-server | ||
| 127 | # | ||
| 128 | function·package_remove·{ | ||
| 129 | #·Load·function·arguments·into·local·variables | ||
| 130 | local·package="$1" | ||
| 131 | #·Check·sanity·of·the·input | ||
| 132 | if·[·$#·-ne·"1"·] | ||
| 133 | then | ||
| 134 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 135 | ··echo·"Aborting." | ||
| 136 | ··exit·1 | ||
| 137 | fi | ||
| 138 | if·which·dnf·;·then | ||
| 139 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 140 | ····dnf·remove·-y·"$package" | ||
| 141 | ··fi | ||
| 142 | elif·which·yum·;·then | ||
| 143 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 144 | ····yum·remove·-y·"$package" | ||
| 145 | ··fi | ||
| 146 | elif·which·apt-get·;·then | ||
| 147 | ··apt-get·remove·-y·"$package" | ||
| 148 | else | ||
| 149 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 150 | ··echo·"Aborting." | ||
| 151 | ··exit·1 | ||
| 152 | fi | ||
| 153 | } | ||
| 154 | package_remove·dhcp | ||
| 155 | #·END·fix·for·'package_dhcp_removed' | ||
| 156 | ############################################################################### | ||
| 157 | #·BEGIN·fix·(4·/·188)·for·'service_ntpd_enabled' | ||
| 158 | ############################################################################### | ||
| 159 | (>&2·echo·"Remediating·rule·4/188:·'service_ntpd_enabled'") | ||
| 160 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 122 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 161 | # | 123 | # |
| 162 | #·Example·Call(s): | 124 | #·Example·Call(s): |
| 163 | # | 125 | # |
| 164 | #·····service_command·enable·bluetooth | 126 | #·····service_command·enable·bluetooth |
| 165 | #·····service_command·disable·bluetooth.service | 127 | #·····service_command·disable·bluetooth.service |
| 166 | # | 128 | # |
| Offset 241, 31 lines modified | Offset 197, 31 lines modified | ||
| 241 | } | 197 | } |
| 242 | service_command·enable·ntpd | 198 | service_command·enable·ntpd |
| 243 | #·END·fix·for·'service_ntpd_enabled' | 199 | #·END·fix·for·'service_ntpd_enabled' |
| 244 | ############################################################################### | 200 | ############################################################################### |
| 245 | #·BEGIN·fix·( | 201 | #·BEGIN·fix·(4·/·188)·for·'ntpd_specify_remote_server' |
| 246 | ############################################################################### | 202 | ############################################################################### |
| 247 | (>&2·echo·"Remediating·rule· | 203 | (>&2·echo·"Remediating·rule·4/188:·'ntpd_specify_remote_server'") |
| 248 | #·FIX·FOR·THIS·RULE·IS·MISSING | 204 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 249 | #·END·fix·for·'ntpd_specify_ | 205 | #·END·fix·for·'ntpd_specify_remote_server' |
| 250 | ############################################################################### | 206 | ############################################################################### |
| 251 | #·BEGIN·fix·( | 207 | #·BEGIN·fix·(5·/·188)·for·'ntpd_specify_multiple_servers' |
| 252 | ############################################################################### | 208 | ############################################################################### |
| 253 | (>&2·echo·"Remediating·rule· | 209 | (>&2·echo·"Remediating·rule·5/188:·'ntpd_specify_multiple_servers'") |
| 254 | #·FIX·FOR·THIS·RULE·IS·MISSING | 210 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 255 | #·END·fix·for·'ntpd_specify_ | 211 | #·END·fix·for·'ntpd_specify_multiple_servers' |
| 256 | ############################################################################### | 212 | ############################################################################### |
| 257 | #·BEGIN·fix·( | 213 | #·BEGIN·fix·(6·/·188)·for·'service_cups_disabled' |
| 258 | ############################################################################### | 214 | ############################################################################### |
| 259 | (>&2·echo·"Remediating·rule· | 215 | (>&2·echo·"Remediating·rule·6/188:·'service_cups_disabled'") |
| 260 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 216 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 261 | # | 217 | # |
| 262 | #·Example·Call(s): | 218 | #·Example·Call(s): |
| 263 | # | 219 | # |
| 264 | #·····service_command·enable·bluetooth | 220 | #·····service_command·enable·bluetooth |
| 265 | #·····service_command·disable·bluetooth.service | 221 | #·····service_command·disable·bluetooth.service |
| 266 | # | 222 | # |
| Offset 337, 17 lines modified | Offset 293, 17 lines modified | ||
| 337 | } | 293 | } |
| 338 | service_command·disable·cups | 294 | service_command·disable·cups |
| 339 | #·END·fix·for·'service_cups_disabled' | 295 | #·END·fix·for·'service_cups_disabled' |
| 340 | ############################################################################### | 296 | ############################################################################### |
| 341 | #·BEGIN·fix·( | 297 | #·BEGIN·fix·(7·/·188)·for·'package_net-snmp_removed' |
| 342 | ############################################################################### | 298 | ############################################################################### |
| 343 | (>&2·echo·"Remediating·rule· | 299 | (>&2·echo·"Remediating·rule·7/188:·'package_net-snmp_removed'") |
| 344 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 300 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 345 | # | 301 | # |
| 346 | #·Example·Call(s): | 302 | #·Example·Call(s): |
| 347 | # | 303 | # |
| 348 | #·····package_remove·telnet-server | 304 | #·····package_remove·telnet-server |
| 349 | # | 305 | # |
| 350 | function·package_remove·{ | 306 | function·package_remove·{ |
| Offset 381, 225 lines modified | Offset 337, 17 lines modified | ||
| 381 | } | 337 | } |
| 382 | package_remove·net-snmp | 338 | package_remove·net-snmp |
| 383 | #·END·fix·for·'package_net-snmp_removed' | 339 | #·END·fix·for·'package_net-snmp_removed' |
| 384 | ############################################################################### | 340 | ############################################################################### |
| 385 | #·BEGIN·fix·( | 341 | #·BEGIN·fix·(8·/·188)·for·'package_rsh_removed' |
| 386 | ############################################################################### | 342 | ############################################################################### |
| 387 | (>&2·echo·"Remediating·rule· | 343 | (>&2·echo·"Remediating·rule·8/188:·'package_rsh_removed'") |
| 388 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 389 | # | ||
| 390 | #·Example·Call(s): | ||
| 391 | # | ||
| 392 | #·····service_command·enable·bluetooth | ||
| Max diff block lines reached; 431773/442964 bytes (97.47%) of diff not shown. | |||
| Offset 18, 26 lines modified | Offset 18, 26 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·313)·for·'ftp_ | 24 | #·BEGIN·fix·(1·/·313)·for·'ftp_present_banner' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/313:·'ftp_ | 26 | (>&2·echo·"Remediating·rule·1/313:·'ftp_present_banner'") |
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | 27 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 28 | #·END·fix·for·'ftp_ | 28 | #·END·fix·for·'ftp_present_banner' |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | #·BEGIN·fix·(2·/·313)·for·'ftp_ | 30 | #·BEGIN·fix·(2·/·313)·for·'ftp_log_transactions' |
| 31 | ############################################################################### | 31 | ############################################################################### |
| 32 | (>&2·echo·"Remediating·rule·2/313:·'ftp_ | 32 | (>&2·echo·"Remediating·rule·2/313:·'ftp_log_transactions'") |
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | 33 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 34 | #·END·fix·for·'ftp_ | 34 | #·END·fix·for·'ftp_log_transactions' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled' | 36 | #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'") | 38 | (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'") |
| 39 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 39 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 40 | # | 40 | # |
| Offset 280, 19 lines modified | Offset 280, 19 lines modified | ||
| 280 | #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support' | 280 | #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support' |
| 281 | ############################################################################### | 281 | ############################################################################### |
| 282 | (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'") | 282 | (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'") |
| 283 | #·FIX·FOR·THIS·RULE·IS·MISSING | 283 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 284 | #·END·fix·for·'httpd_cgi_support' | 284 | #·END·fix·for·'httpd_cgi_support' |
| 285 | ############################################################################### | 285 | ############################################################################### |
| 286 | #·BEGIN·fix·(17·/·313)·for·'httpd_ | 286 | #·BEGIN·fix·(17·/·313)·for·'httpd_digest_authentication' |
| 287 | ############################################################################### | 287 | ############################################################################### |
| 288 | (>&2·echo·"Remediating·rule·17/313:·'httpd_ | 288 | (>&2·echo·"Remediating·rule·17/313:·'httpd_digest_authentication'") |
| 289 | #·FIX·FOR·THIS·RULE·IS·MISSING | 289 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 290 | #·END·fix·for·'httpd_ | 290 | #·END·fix·for·'httpd_digest_authentication' |
| 291 | ############################################################################### | 291 | ############################################################################### |
| 292 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' | 292 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' |
| 293 | ############################################################################### | 293 | ############################################################################### |
| 294 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") | 294 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") |
| 295 | #·FIX·FOR·THIS·RULE·IS·MISSING | 295 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 296 | #·END·fix·for·'httpd_server_activity_status' | 296 | #·END·fix·for·'httpd_server_activity_status' |
| Offset 301, 19 lines modified | Offset 301, 19 lines modified | ||
| 301 | #·BEGIN·fix·(19·/·313)·for·'httpd_server_configuration_display' | 301 | #·BEGIN·fix·(19·/·313)·for·'httpd_server_configuration_display' |
| 302 | ############################################################################### | 302 | ############################################################################### |
| 303 | (>&2·echo·"Remediating·rule·19/313:·'httpd_server_configuration_display'") | 303 | (>&2·echo·"Remediating·rule·19/313:·'httpd_server_configuration_display'") |
| 304 | #·FIX·FOR·THIS·RULE·IS·MISSING | 304 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 305 | #·END·fix·for·'httpd_server_configuration_display' | 305 | #·END·fix·for·'httpd_server_configuration_display' |
| 306 | ############################################################################### | 306 | ############################################################################### |
| 307 | #·BEGIN·fix·(20·/·313)·for·'httpd_ | 307 | #·BEGIN·fix·(20·/·313)·for·'httpd_url_correction' |
| 308 | ############################################################################### | 308 | ############################################################################### |
| 309 | (>&2·echo·"Remediating·rule·20/313:·'httpd_ | 309 | (>&2·echo·"Remediating·rule·20/313:·'httpd_url_correction'") |
| 310 | #·FIX·FOR·THIS·RULE·IS·MISSING | 310 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 311 | #·END·fix·for·'httpd_ | 311 | #·END·fix·for·'httpd_url_correction' |
| 312 | ############################################################################### | 312 | ############################################################################### |
| 313 | #·BEGIN·fix·(21·/·313)·for·'httpd_mime_magic' | 313 | #·BEGIN·fix·(21·/·313)·for·'httpd_mime_magic' |
| 314 | ############################################################################### | 314 | ############################################################################### |
| 315 | (>&2·echo·"Remediating·rule·21/313:·'httpd_mime_magic'") | 315 | (>&2·echo·"Remediating·rule·21/313:·'httpd_mime_magic'") |
| 316 | #·FIX·FOR·THIS·RULE·IS·MISSING | 316 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 317 | #·END·fix·for·'httpd_mime_magic' | 317 | #·END·fix·for·'httpd_mime_magic' |
| Offset 350, 59 lines modified | Offset 350, 17 lines modified | ||
| 350 | #·BEGIN·fix·(26·/·313)·for·'httpd_proxy_support' | 350 | #·BEGIN·fix·(26·/·313)·for·'httpd_proxy_support' |
| 351 | ############################################################################### | 351 | ############################################################################### |
| 352 | (>&2·echo·"Remediating·rule·26/313:·'httpd_proxy_support'") | 352 | (>&2·echo·"Remediating·rule·26/313:·'httpd_proxy_support'") |
| 353 | #·FIX·FOR·THIS·RULE·IS·MISSING | 353 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 354 | #·END·fix·for·'httpd_proxy_support' | 354 | #·END·fix·for·'httpd_proxy_support' |
| 355 | ############################################################################### | 355 | ############################################################################### |
| 356 | #·BEGIN·fix·(27·/·313)·for·'s | 356 | #·BEGIN·fix·(27·/·313)·for·'service_ntpd_enabled' |
| 357 | ############################################################################### | ||
| 358 | (>&2·echo·"Remediating·rule·27/313:·'sysconfig_networking_bootproto_ifcfg'") | ||
| 359 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 360 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 361 | ############################################################################### | ||
| 362 | #·BEGIN·fix·(28·/·313)·for·'dhcp_server_deny_decline' | ||
| 363 | ############################################################################### | ||
| 364 | (>&2·echo·"Remediating·rule·28/313:·'dhcp_server_deny_decline'") | ||
| 365 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 366 | #·END·fix·for·'dhcp_server_deny_decline' | ||
| 367 | ############################################################################### | ||
| 368 | #·BEGIN·fix·(29·/·313)·for·'dhcp_server_disable_ddns' | ||
| 369 | ############################################################################### | ||
| 370 | (>&2·echo·"Remediating·rule·29/313:·'dhcp_server_disable_ddns'") | ||
| 371 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 372 | #·END·fix·for·'dhcp_server_disable_ddns' | ||
| 373 | ############################################################################### | ||
| 374 | #·BEGIN·fix·(30·/·313)·for·'dhcp_server_minimize_served_info' | ||
| 375 | ############################################################################### | ||
| 376 | (>&2·echo·"Remediating·rule·30/313:·'dhcp_server_minimize_served_info'") | ||
| 377 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 378 | #·END·fix·for·'dhcp_server_minimize_served_info' | ||
| 379 | ############################################################################### | ||
| 380 | #·BEGIN·fix·(31·/·313)·for·'dhcp_server_deny_bootp' | ||
| 381 | ############################################################################### | ||
| 382 | (>&2·echo·"Remediating·rule·31/313:·'dhcp_server_deny_bootp'") | ||
| 383 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 384 | #·END·fix·for·'dhcp_server_deny_bootp' | ||
| 385 | ############################################################################### | ||
| 386 | #·BEGIN·fix·(32·/·313)·for·'dhcp_server_configure_logging' | ||
| 387 | ############################################################################### | ||
| 388 | (>&2·echo·"Remediating·rule·32/313:·'dhcp_server_configure_logging'") | ||
| 389 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 390 | #·END·fix·for·'dhcp_server_configure_logging' | ||
| 391 | ############################################################################### | ||
| 392 | #·BEGIN·fix·(33·/·313)·for·'service_ntpd_enabled' | ||
| 393 | ############################################################################### | 357 | ############################################################################### |
| 394 | (>&2·echo·"Remediating·rule· | 358 | (>&2·echo·"Remediating·rule·27/313:·'service_ntpd_enabled'") |
| 395 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 359 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 396 | # | 360 | # |
| 397 | #·Example·Call(s): | 361 | #·Example·Call(s): |
| 398 | # | 362 | # |
| 399 | #·····service_command·enable·bluetooth | 363 | #·····service_command·enable·bluetooth |
| 400 | #·····service_command·disable·bluetooth.service | 364 | #·····service_command·disable·bluetooth.service |
| 401 | # | 365 | # |
| Offset 474, 31 lines modified | Offset 432, 31 lines modified | ||
| Max diff block lines reached; 653403/660390 bytes (98.94%) of diff not shown. | |||
| Offset 171, 171 lines modified | Offset 171, 17 lines modified | ||
| 171 | #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd' | 171 | #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd' |
| 172 | ############################################################################### | 172 | ############################################################################### |
| 173 | (>&2·echo·"Remediating·rule·5/215:·'dir_perms_var_log_httpd'") | 173 | (>&2·echo·"Remediating·rule·5/215:·'dir_perms_var_log_httpd'") |
| 174 | #·FIX·FOR·THIS·RULE·IS·MISSING | 174 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 175 | #·END·fix·for·'dir_perms_var_log_httpd' | 175 | #·END·fix·for·'dir_perms_var_log_httpd' |
| 176 | ############################################################################### | 176 | ############################################################################### |
| 177 | #·BEGIN·fix·(6·/·215)·for·'s | 177 | #·BEGIN·fix·(6·/·215)·for·'service_ntpd_enabled' |
| 178 | ############################################################################### | 178 | ############################################################################### |
| 179 | (>&2·echo·"Remediating·rule·6/215:·'s | 179 | (>&2·echo·"Remediating·rule·6/215:·'service_ntpd_enabled'") |
| 180 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 181 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 182 | ############################################################################### | ||
| 183 | #·BEGIN·fix·(7·/·215)·for·'dhcp_server_deny_decline' | ||
| 184 | ############################################################################### | ||
| 185 | (>&2·echo·"Remediating·rule·7/215:·'dhcp_server_deny_decline'") | ||
| 186 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 187 | #·END·fix·for·'dhcp_server_deny_decline' | ||
| 188 | ############################################################################### | ||
| 189 | #·BEGIN·fix·(8·/·215)·for·'dhcp_server_disable_ddns' | ||
| 190 | ############################################################################### | ||
| 191 | (>&2·echo·"Remediating·rule·8/215:·'dhcp_server_disable_ddns'") | ||
| 192 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 193 | #·END·fix·for·'dhcp_server_disable_ddns' | ||
| 194 | ############################################################################### | ||
| 195 | #·BEGIN·fix·(9·/·215)·for·'dhcp_server_deny_bootp' | ||
| 196 | ############################################################################### | ||
| 197 | (>&2·echo·"Remediating·rule·9/215:·'dhcp_server_deny_bootp'") | ||
| 198 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 199 | #·END·fix·for·'dhcp_server_deny_bootp' | ||
| 200 | ############################################################################### | ||
| 201 | #·BEGIN·fix·(10·/·215)·for·'package_dhcp_removed' | ||
| 202 | ############################################################################### | ||
| 203 | (>&2·echo·"Remediating·rule·10/215:·'package_dhcp_removed'") | ||
| 204 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 205 | # | ||
| 206 | #·Example·Call(s): | ||
| 207 | # | ||
| 208 | #·····package_remove·telnet-server | ||
| 209 | # | ||
| 210 | function·package_remove·{ | ||
| 211 | #·Load·function·arguments·into·local·variables | ||
| 212 | local·package="$1" | ||
| 213 | #·Check·sanity·of·the·input | ||
| 214 | if·[·$#·-ne·"1"·] | ||
| 215 | then | ||
| 216 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 217 | ··echo·"Aborting." | ||
| 218 | ··exit·1 | ||
| 219 | fi | ||
| 220 | if·which·dnf·;·then | ||
| 221 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 222 | ····dnf·remove·-y·"$package" | ||
| 223 | ··fi | ||
| 224 | elif·which·yum·;·then | ||
| 225 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 226 | ····yum·remove·-y·"$package" | ||
| 227 | ··fi | ||
| 228 | elif·which·apt-get·;·then | ||
| 229 | ··apt-get·remove·-y·"$package" | ||
| 230 | else | ||
| 231 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 232 | ··echo·"Aborting." | ||
| 233 | ··exit·1 | ||
| 234 | fi | ||
| 235 | } | ||
| 236 | package_remove·dhcp | ||
| 237 | #·END·fix·for·'package_dhcp_removed' | ||
| 238 | ############################################################################### | ||
| 239 | #·BEGIN·fix·(11·/·215)·for·'service_dhcpd_disabled' | ||
| 240 | ############################################################################### | ||
| 241 | (>&2·echo·"Remediating·rule·11/215:·'service_dhcpd_disabled'") | ||
| 242 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 243 | # | ||
| 244 | #·Example·Call(s): | ||
| 245 | # | ||
| 246 | #·····service_command·enable·bluetooth | ||
| 247 | #·····service_command·disable·bluetooth.service | ||
| 248 | # | ||
| 249 | #·····Using·xinetd: | ||
| 250 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 251 | # | ||
| 252 | function·service_command·{ | ||
| 253 | #·Load·function·arguments·into·local·variables | ||
| 254 | local·service_state=$1 | ||
| 255 | local·service=$2 | ||
| 256 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 257 | #·Check·sanity·of·the·input | ||
| 258 | if·[·$#·-lt·"2"·] | ||
| 259 | then | ||
| 260 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 261 | ··echo | ||
| 262 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 263 | ··echo·"as·the·last·argument"·· | ||
| 264 | ··echo·"Aborting." | ||
| 265 | ··exit·1 | ||
| 266 | fi | ||
| 267 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 268 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 269 | ··service_util="/usr/bin/systemctl" | ||
| 270 | else | ||
| 271 | ··service_util="/sbin/service" | ||
| 272 | ··chkconfig_util="/sbin/chkconfig" | ||
| 273 | fi | ||
| 274 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 275 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 276 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 277 | ··service_state="enable" | ||
| 278 | ··service_operation="start" | ||
| 279 | ··chkconfig_state="on" | ||
| 280 | else | ||
| 281 | ··service_state="disable" | ||
| 282 | ··service_operation="stop" | ||
| Max diff block lines reached; 399972/405921 bytes (98.53%) of diff not shown. | |||
| Offset 271, 143 lines modified | Offset 271, 17 lines modified | ||
| 271 | } | 271 | } |
| 272 | package_remove·httpd | 272 | package_remove·httpd |
| 273 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 274 | ############################################################################### | 274 | ############################################################################### |
| 275 | #·BEGIN·fix·(5·/·206)·for·' | 275 | #·BEGIN·fix·(5·/·206)·for·'service_ntpd_enabled' |
| 276 | ############################################################################### | 276 | ############################################################################### |
| 277 | (>&2·echo·"Remediating·rule·5/206:·' | 277 | (>&2·echo·"Remediating·rule·5/206:·'service_ntpd_enabled'") |
| 278 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 279 | # | ||
| 280 | #·Example·Call(s): | ||
| 281 | # | ||
| 282 | #·····package_remove·telnet-server | ||
| 283 | # | ||
| 284 | function·package_remove·{ | ||
| 285 | #·Load·function·arguments·into·local·variables | ||
| 286 | local·package="$1" | ||
| 287 | #·Check·sanity·of·the·input | ||
| 288 | if·[·$#·-ne·"1"·] | ||
| 289 | then | ||
| 290 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 291 | ··echo·"Aborting." | ||
| 292 | ··exit·1 | ||
| 293 | fi | ||
| 294 | if·which·dnf·;·then | ||
| 295 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 296 | ····dnf·remove·-y·"$package" | ||
| 297 | ··fi | ||
| 298 | elif·which·yum·;·then | ||
| 299 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 300 | ····yum·remove·-y·"$package" | ||
| 301 | ··fi | ||
| 302 | elif·which·apt-get·;·then | ||
| 303 | ··apt-get·remove·-y·"$package" | ||
| 304 | else | ||
| 305 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 306 | ··echo·"Aborting." | ||
| 307 | ··exit·1 | ||
| 308 | fi | ||
| 309 | } | ||
| 310 | package_remove·dhcp | ||
| 311 | #·END·fix·for·'package_dhcp_removed' | ||
| 312 | ############################################################################### | ||
| 313 | #·BEGIN·fix·(6·/·206)·for·'service_dhcpd_disabled' | ||
| 314 | ############################################################################### | ||
| 315 | (>&2·echo·"Remediating·rule·6/206:·'service_dhcpd_disabled'") | ||
| 316 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 317 | # | ||
| 318 | #·Example·Call(s): | ||
| 319 | # | ||
| 320 | #·····service_command·enable·bluetooth | ||
| 321 | #·····service_command·disable·bluetooth.service | ||
| 322 | # | ||
| 323 | #·····Using·xinetd: | ||
| 324 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 325 | # | ||
| 326 | function·service_command·{ | ||
| 327 | #·Load·function·arguments·into·local·variables | ||
| 328 | local·service_state=$1 | ||
| 329 | local·service=$2 | ||
| 330 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 331 | #·Check·sanity·of·the·input | ||
| 332 | if·[·$#·-lt·"2"·] | ||
| 333 | then | ||
| 334 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 335 | ··echo | ||
| 336 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 337 | ··echo·"as·the·last·argument"·· | ||
| 338 | ··echo·"Aborting." | ||
| 339 | ··exit·1 | ||
| 340 | fi | ||
| 341 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 342 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 343 | ··service_util="/usr/bin/systemctl" | ||
| 344 | else | ||
| 345 | ··service_util="/sbin/service" | ||
| 346 | ··chkconfig_util="/sbin/chkconfig" | ||
| 347 | fi | ||
| 348 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 349 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 350 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 351 | ··service_state="enable" | ||
| 352 | ··service_operation="start" | ||
| 353 | ··chkconfig_state="on" | ||
| 354 | else | ||
| 355 | ··service_state="disable" | ||
| 356 | ··service_operation="stop" | ||
| 357 | ··chkconfig_state="off" | ||
| 358 | fi | ||
| 359 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 360 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 361 | ··$service_util·$service·$service_operation | ||
| 362 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 363 | else | ||
| 364 | ··$service_util·$service_operation·$service | ||
| 365 | ··$service_util·$service_state·$service | ||
| 366 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 367 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 368 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 369 | ··$service_util·reset-failed·$service | ||
| 370 | fi | ||
| 371 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 372 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 373 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 374 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 375 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 376 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 377 | ··else | ||
| 378 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 379 | ··fi | ||
| 380 | fi | ||
| Max diff block lines reached; 476334/480616 bytes (99.11%) of diff not shown. | |||
| Offset 100, 195 lines modified | Offset 100, 31 lines modified | ||
| 100 | } | 100 | } |
| 101 | service_command·enable·ntpd | 101 | service_command·enable·ntpd |
| 102 | #·END·fix·for·'service_ntpd_enabled' | 102 | #·END·fix·for·'service_ntpd_enabled' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | #·BEGIN·fix·(2·/·211)·for·'ntpd_specify_ | 104 | #·BEGIN·fix·(2·/·211)·for·'ntpd_specify_remote_server' |
| 105 | ############################################################################### | 105 | ############################################################################### |
| 106 | (>&2·echo·"Remediating·rule·2/211:·'ntpd_specify_ | 106 | (>&2·echo·"Remediating·rule·2/211:·'ntpd_specify_remote_server'") |
| 107 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 108 | #·END·fix·for·'ntpd_specify_multiple_servers' | ||
| 109 | ############################################################################### | ||
| 110 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server' | ||
| 111 | ############################################################################### | ||
| 112 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'") | ||
| 113 | #·FIX·FOR·THIS·RULE·IS·MISSING | 107 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 114 | #·END·fix·for·'ntpd_specify_remote_server' | 108 | #·END·fix·for·'ntpd_specify_remote_server' |
| 115 | ############################################################################### | 109 | ############################################################################### |
| 116 | #·BEGIN·fix·( | 110 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_multiple_servers' |
| 117 | ############################################################################### | ||
| 118 | (>&2·echo·"Remediating·rule·4/211:·'service_crond_enabled'") | ||
| 119 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 120 | # | ||
| 121 | #·Example·Call(s): | ||
| 122 | # | ||
| 123 | #·····service_command·enable·bluetooth | ||
| 124 | #·····service_command·disable·bluetooth.service | ||
| 125 | # | ||
| 126 | #·····Using·xinetd: | ||
| 127 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 128 | # | ||
| 129 | function·service_command·{ | ||
| 130 | #·Load·function·arguments·into·local·variables | ||
| 131 | local·service_state=$1 | ||
| 132 | local·service=$2 | ||
| 133 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 134 | #·Check·sanity·of·the·input | ||
| 135 | if·[·$#·-lt·"2"·] | ||
| 136 | then | ||
| 137 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 138 | ··echo | ||
| 139 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 140 | ··echo·"as·the·last·argument"·· | ||
| 141 | ··echo·"Aborting." | ||
| 142 | ··exit·1 | ||
| 143 | fi | ||
| 144 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 145 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 146 | ··service_util="/usr/bin/systemctl" | ||
| 147 | else | ||
| 148 | ··service_util="/sbin/service" | ||
| 149 | ··chkconfig_util="/sbin/chkconfig" | ||
| 150 | fi | ||
| 151 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 152 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 153 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 154 | ··service_state="enable" | ||
| 155 | ··service_operation="start" | ||
| 156 | ··chkconfig_state="on" | ||
| 157 | else | ||
| 158 | ··service_state="disable" | ||
| 159 | ··service_operation="stop" | ||
| 160 | ··chkconfig_state="off" | ||
| 161 | fi | ||
| 162 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 163 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 164 | ··$service_util·$service·$service_operation | ||
| 165 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 166 | else | ||
| 167 | ··$service_util·$service_operation·$service | ||
| 168 | ··$service_util·$service_state·$service | ||
| 169 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 170 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 171 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 172 | ··$service_util·reset-failed·$service | ||
| 173 | fi | ||
| 174 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 175 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 176 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 177 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 178 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 179 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 180 | ··else | ||
| 181 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 182 | ··fi | ||
| 183 | fi | ||
| 184 | } | ||
| 185 | service_command·enable·crond | ||
| 186 | #·END·fix·for·'service_crond_enabled' | ||
| 187 | ############################################################################### | ||
| 188 | #·BEGIN·fix·(5·/·211)·for·'service_atd_disabled' | ||
| 189 | ############################################################################### | 111 | ############################################################################### |
| 190 | (>&2·echo·"Remediating·rule· | 112 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_multiple_servers'") |
| 191 | #·F | 113 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 192 | # | 114 | #·END·fix·for·'ntpd_specify_multiple_servers' |
| 193 | #·Example·Call(s): | ||
| 194 | # | ||
| 195 | #·····service_command·enable·bluetooth | ||
| 196 | #·····service_command·disable·bluetooth.service | ||
| 197 | # | ||
| 198 | #·····Using·xinetd: | ||
| 199 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 200 | # | ||
| 201 | function·service_command·{ | ||
| 202 | #·Load·function·arguments·into·local·variables | ||
| 203 | local·service_state=$1 | ||
| 204 | local·service=$2 | ||
| 205 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 206 | #·Check·sanity·of·the·input | ||
| 207 | if·[·$#·-lt·"2"·] | ||
| 208 | then | ||
| 209 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| Max diff block lines reached; 434330/440729 bytes (98.55%) of diff not shown. | |||
| Offset 25, 40 lines modified | Offset 25, 40 lines modified | ||
| 25 | #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon' | 25 | #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'") | 27 | (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'") |
| 28 | #·FIX·FOR·THIS·RULE·IS·MISSING | 28 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 29 | #·END·fix·for·'ftp_restrict_to_anon' | 29 | #·END·fix·for·'ftp_restrict_to_anon' |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | #·BEGIN·fix·(2·/·192)·for·'ftp_ | 31 | #·BEGIN·fix·(2·/·192)·for·'ftp_present_banner' |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | (>&2·echo·"Remediating·rule·2/192:·'ftp_ | 33 | (>&2·echo·"Remediating·rule·2/192:·'ftp_present_banner'") |
| 34 | #·FIX·FOR·THIS·RULE·IS·MISSING | 34 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 35 | #·END·fix·for·'ftp_ | 35 | #·END·fix·for·'ftp_present_banner' |
| 36 | ############################################################################### | 36 | ############################################################################### |
| 37 | #·BEGIN·fix·(3·/·192)·for·'ftp_ | 37 | #·BEGIN·fix·(3·/·192)·for·'ftp_disable_uploads' |
| 38 | ############################################################################### | 38 | ############################################################################### |
| 39 | (>&2·echo·"Remediating·rule·3/192:·'ftp_ | 39 | (>&2·echo·"Remediating·rule·3/192:·'ftp_disable_uploads'") |
| 40 | #·FIX·FOR·THIS·RULE·IS·MISSING | 40 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 41 | #·END·fix·for·'ftp_ | 41 | #·END·fix·for·'ftp_disable_uploads' |
| 42 | ############################################################################### | 42 | ############################################################################### |
| 43 | #·BEGIN·fix·(4·/·192)·for·'ftp_ | 43 | #·BEGIN·fix·(4·/·192)·for·'ftp_home_partition' |
| 44 | ############################################################################### | 44 | ############################################################################### |
| 45 | (>&2·echo·"Remediating·rule·4/192:·'ftp_ | 45 | (>&2·echo·"Remediating·rule·4/192:·'ftp_home_partition'") |
| 46 | #·FIX·FOR·THIS·RULE·IS·MISSING | 46 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 47 | #·END·fix·for·'ftp_ | 47 | #·END·fix·for·'ftp_home_partition' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | #·BEGIN·fix·(5·/·192)·for·'ftp_ | 49 | #·BEGIN·fix·(5·/·192)·for·'ftp_log_transactions' |
| 50 | ############################################################################### | 50 | ############################################################################### |
| 51 | (>&2·echo·"Remediating·rule·5/192:·'ftp_ | 51 | (>&2·echo·"Remediating·rule·5/192:·'ftp_log_transactions'") |
| 52 | #·FIX·FOR·THIS·RULE·IS·MISSING | 52 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 53 | #·END·fix·for·'ftp_ | 53 | #·END·fix·for·'ftp_log_transactions' |
| 54 | ############################################################################### | 54 | ############################################################################### |
| 55 | #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed' | 55 | #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed' |
| 56 | ############################################################################### | 56 | ############################################################################### |
| 57 | (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'") | 57 | (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'") |
| 58 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 58 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 59 | # | 59 | # |
| Offset 97, 24 lines modified | Offset 97, 17 lines modified | ||
| 97 | } | 97 | } |
| 98 | package_install·vsftpd | 98 | package_install·vsftpd |
| 99 | #·END·fix·for·'package_vsftpd_installed' | 99 | #·END·fix·for·'package_vsftpd_installed' |
| 100 | ############################################################################### | 100 | ############################################################################### |
| 101 | #·BEGIN·fix·(7·/·192)·for·'s | 101 | #·BEGIN·fix·(7·/·192)·for·'service_ntpd_enabled' |
| 102 | ############################################################################### | 102 | ############################################################################### |
| 103 | (>&2·echo·"Remediating·rule·7/192:·'s | 103 | (>&2·echo·"Remediating·rule·7/192:·'service_ntpd_enabled'") |
| 104 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 105 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 106 | ############################################################################### | ||
| 107 | #·BEGIN·fix·(8·/·192)·for·'service_ntpd_enabled' | ||
| 108 | ############################################################################### | ||
| 109 | (>&2·echo·"Remediating·rule·8/192:·'service_ntpd_enabled'") | ||
| 110 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 104 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 111 | # | 105 | # |
| 112 | #·Example·Call(s): | 106 | #·Example·Call(s): |
| 113 | # | 107 | # |
| 114 | #·····service_command·enable·bluetooth | 108 | #·····service_command·enable·bluetooth |
| 115 | #·····service_command·disable·bluetooth.service | 109 | #·····service_command·disable·bluetooth.service |
| 116 | # | 110 | # |
| Offset 186, 260 lines modified | Offset 179, 45 lines modified | ||
| 186 | } | 179 | } |
| 187 | service_command·enable·ntpd | 180 | service_command·enable·ntpd |
| 188 | #·END·fix·for·'service_ntpd_enabled' | 181 | #·END·fix·for·'service_ntpd_enabled' |
| 189 | ############################################################################### | 182 | ############################################################################### |
| 190 | #·BEGIN·fix·( | 183 | #·BEGIN·fix·(8·/·192)·for·'ntpd_specify_remote_server' |
| 191 | ############################################################################### | 184 | ############################################################################### |
| 192 | (>&2·echo·"Remediating·rule· | 185 | (>&2·echo·"Remediating·rule·8/192:·'ntpd_specify_remote_server'") |
| 193 | #·FIX·FOR·THIS·RULE·IS·MISSING | 186 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 194 | #·END·fix·for·'ntpd_specify_remote_server' | 187 | #·END·fix·for·'ntpd_specify_remote_server' |
| 195 | ############################################################################### | 188 | ############################################################################### |
| 196 | #·BEGIN·fix·( | 189 | #·BEGIN·fix·(9·/·192)·for·'service_rlogin_disabled' |
| 197 | ############################################################################### | ||
| 198 | (>&2·echo·"Remediating·rule·10/192:·'service_crond_enabled'") | ||
| 199 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 200 | # | ||
| 201 | #·Example·Call(s): | ||
| 202 | # | ||
| 203 | #·····service_command·enable·bluetooth | ||
| 204 | #·····service_command·disable·bluetooth.service | ||
| 205 | # | ||
| 206 | #·····Using·xinetd: | ||
| 207 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 208 | # | ||
| 209 | function·service_command·{ | ||
| 210 | #·Load·function·arguments·into·local·variables | ||
| 211 | local·service_state=$1 | ||
| 212 | local·service=$2 | ||
| 213 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 214 | #·Check·sanity·of·the·input | ||
| 215 | if·[·$#·-lt·"2"·] | ||
| 216 | then | ||
| 217 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 218 | ··echo | ||
| 219 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 220 | ··echo·"as·the·last·argument"·· | ||
| 221 | ··echo·"Aborting." | ||
| 222 | ··exit·1 | ||
| 223 | fi | ||
| 224 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 225 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 226 | ··service_util="/usr/bin/systemctl" | ||
| 227 | else | ||
| 228 | ··service_util="/sbin/service" | ||
| 229 | ··chkconfig_util="/sbin/chkconfig" | ||
| 230 | fi | ||
| 231 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 232 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 233 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 234 | ··service_state="enable" | ||
| 235 | ··service_operation="start" | ||
| 236 | ··chkconfig_state="on" | ||
| 237 | else | ||
| 238 | ··service_state="disable" | ||
| Max diff block lines reached; 435638/446937 bytes (97.47%) of diff not shown. | |||
| Offset 192, 150 lines modified | Offset 192, 17 lines modified | ||
| 192 | } | 192 | } |
| 193 | package_remove·httpd | 193 | package_remove·httpd |
| 194 | #·END·fix·for·'package_httpd_removed' | 194 | #·END·fix·for·'package_httpd_removed' |
| 195 | ############################################################################### | 195 | ############################################################################### |
| 196 | #·BEGIN·fix·(4·/·270)·for·'s | 196 | #·BEGIN·fix·(4·/·270)·for·'service_ntpd_enabled' |
| 197 | ############################################################################### | 197 | ############################################################################### |
| 198 | (>&2·echo·"Remediating·rule·4/270:·'s | 198 | (>&2·echo·"Remediating·rule·4/270:·'service_ntpd_enabled'") |
| 199 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 200 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 201 | ############################################################################### | ||
| 202 | #·BEGIN·fix·(5·/·270)·for·'package_dhcp_removed' | ||
| 203 | ############################################################################### | ||
| 204 | (>&2·echo·"Remediating·rule·5/270:·'package_dhcp_removed'") | ||
| 205 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 206 | # | ||
| 207 | #·Example·Call(s): | ||
| 208 | # | ||
| 209 | #·····package_remove·telnet-server | ||
| 210 | # | ||
| 211 | function·package_remove·{ | ||
| 212 | #·Load·function·arguments·into·local·variables | ||
| 213 | local·package="$1" | ||
| 214 | #·Check·sanity·of·the·input | ||
| 215 | if·[·$#·-ne·"1"·] | ||
| 216 | then | ||
| 217 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 218 | ··echo·"Aborting." | ||
| 219 | ··exit·1 | ||
| 220 | fi | ||
| 221 | if·which·dnf·;·then | ||
| 222 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 223 | ····dnf·remove·-y·"$package" | ||
| 224 | ··fi | ||
| 225 | elif·which·yum·;·then | ||
| 226 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 227 | ····yum·remove·-y·"$package" | ||
| 228 | ··fi | ||
| 229 | elif·which·apt-get·;·then | ||
| 230 | ··apt-get·remove·-y·"$package" | ||
| 231 | else | ||
| 232 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 233 | ··echo·"Aborting." | ||
| 234 | ··exit·1 | ||
| 235 | fi | ||
| 236 | } | ||
| 237 | package_remove·dhcp | ||
| 238 | #·END·fix·for·'package_dhcp_removed' | ||
| 239 | ############################################################################### | ||
| 240 | #·BEGIN·fix·(6·/·270)·for·'service_dhcpd_disabled' | ||
| 241 | ############################################################################### | ||
| 242 | (>&2·echo·"Remediating·rule·6/270:·'service_dhcpd_disabled'") | ||
| 243 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 244 | # | ||
| 245 | #·Example·Call(s): | ||
| 246 | # | ||
| 247 | #·····service_command·enable·bluetooth | ||
| 248 | #·····service_command·disable·bluetooth.service | ||
| 249 | # | ||
| 250 | #·····Using·xinetd: | ||
| 251 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 252 | # | ||
| 253 | function·service_command·{ | ||
| 254 | #·Load·function·arguments·into·local·variables | ||
| 255 | local·service_state=$1 | ||
| 256 | local·service=$2 | ||
| 257 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 258 | #·Check·sanity·of·the·input | ||
| 259 | if·[·$#·-lt·"2"·] | ||
| 260 | then | ||
| 261 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 262 | ··echo | ||
| 263 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 264 | ··echo·"as·the·last·argument"·· | ||
| 265 | ··echo·"Aborting." | ||
| 266 | ··exit·1 | ||
| 267 | fi | ||
| 268 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 269 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 270 | ··service_util="/usr/bin/systemctl" | ||
| 271 | else | ||
| 272 | ··service_util="/sbin/service" | ||
| 273 | ··chkconfig_util="/sbin/chkconfig" | ||
| 274 | fi | ||
| 275 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 276 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 277 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 278 | ··service_state="enable" | ||
| 279 | ··service_operation="start" | ||
| 280 | ··chkconfig_state="on" | ||
| 281 | else | ||
| 282 | ··service_state="disable" | ||
| 283 | ··service_operation="stop" | ||
| 284 | ··chkconfig_state="off" | ||
| 285 | fi | ||
| 286 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 287 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 288 | ··$service_util·$service·$service_operation | ||
| 289 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 290 | else | ||
| 291 | ··$service_util·$service_operation·$service | ||
| 292 | ··$service_util·$service_state·$service | ||
| 293 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 294 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 295 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 296 | ··$service_util·reset-failed·$service | ||
| 297 | fi | ||
| 298 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 299 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 300 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 301 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| Max diff block lines reached; 641174/645849 bytes (99.28%) of diff not shown. | |||
| Offset 100, 26 lines modified | Offset 100, 26 lines modified | ||
| 100 | } | 100 | } |
| 101 | service_command·enable·ntpd | 101 | service_command·enable·ntpd |
| 102 | #·END·fix·for·'service_ntpd_enabled' | 102 | #·END·fix·for·'service_ntpd_enabled' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | #·BEGIN·fix·(2·/·94)·for·'ntpd_specify_ | 104 | #·BEGIN·fix·(2·/·94)·for·'ntpd_specify_remote_server' |
| 105 | ############################################################################### | 105 | ############################################################################### |
| 106 | (>&2·echo·"Remediating·rule·2/94:·'ntpd_specify_ | 106 | (>&2·echo·"Remediating·rule·2/94:·'ntpd_specify_remote_server'") |
| 107 | #·FIX·FOR·THIS·RULE·IS·MISSING | 107 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 108 | #·END·fix·for·'ntpd_specify_ | 108 | #·END·fix·for·'ntpd_specify_remote_server' |
| 109 | ############################################################################### | 109 | ############################################################################### |
| 110 | #·BEGIN·fix·(3·/·94)·for·'ntpd_specify_ | 110 | #·BEGIN·fix·(3·/·94)·for·'ntpd_specify_multiple_servers' |
| 111 | ############################################################################### | 111 | ############################################################################### |
| 112 | (>&2·echo·"Remediating·rule·3/94:·'ntpd_specify_ | 112 | (>&2·echo·"Remediating·rule·3/94:·'ntpd_specify_multiple_servers'") |
| 113 | #·FIX·FOR·THIS·RULE·IS·MISSING | 113 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 114 | #·END·fix·for·'ntpd_specify_ | 114 | #·END·fix·for·'ntpd_specify_multiple_servers' |
| 115 | ############################################################################### | 115 | ############################################################################### |
| 116 | #·BEGIN·fix·(4·/·94)·for·'sshd_set_idle_timeout' | 116 | #·BEGIN·fix·(4·/·94)·for·'sshd_set_idle_timeout' |
| 117 | ############################################################################### | 117 | ############################################################################### |
| 118 | (>&2·echo·"Remediating·rule·4/94:·'sshd_set_idle_timeout'") | 118 | (>&2·echo·"Remediating·rule·4/94:·'sshd_set_idle_timeout'") |
| 119 | sshd_idle_timeout_value="900" | 119 | sshd_idle_timeout_value="900" |
| Offset 128, 1110 lines modified | Offset 128, 61 lines modified | ||
| 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config | 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config |
| 129 | if·!·[·$?·-eq·0·];·then | 129 | if·!·[·$?·-eq·0·];·then |
| 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config | 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config |
| 131 | fi | 131 | fi |
| 132 | #·END·fix·for·'sshd_set_idle_timeout' | 132 | #·END·fix·for·'sshd_set_idle_timeout' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | #·BEGIN·fix·(5·/·94)·for·'i | 134 | #·BEGIN·fix·(5·/·94)·for·'auditd_audispd_syslog_plugin_activated' |
| 135 | ############################################################################### | ||
| 136 | (>&2·echo·"Remediating·rule·5/94:·'install_hids'") | ||
| 137 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 138 | #·END·fix·for·'install_hids' | ||
| 139 | ############################################################################### | ||
| 140 | #·BEGIN·fix·(6·/·94)·for·'rpm_verify_permissions' | ||
| 141 | ############################################################################### | ||
| 142 | (>&2·echo·"Remediating·rule·6/94:·'rpm_verify_permissions'") | ||
| 143 | #·Declare·array·to·hold·list·of·RPM·packages·we·need·to·correct·permissions·for | ||
| 144 | declare·-a·SETPERMS_RPM_LIST | ||
| 145 | #·Create·a·list·of·files·on·the·system·having·permissions·different·from·what | ||
| 146 | #·is·expected·by·the·RPM·database | ||
| 147 | FILES_WITH_INCORRECT_PERMS=($(rpm·-Va·--nofiledigest·|·grep·'^.M'·|·cut·-d·'·'·-f4-)) | ||
| 148 | #·For·each·file·path·from·that·list: | ||
| 149 | #·*·Determine·the·RPM·package·the·file·path·is·shipped·by, | ||
| 150 | #·*·Include·it·into·SETPERMS_RPM_LIST·array | ||
| 151 | for·FILE_PATH·in·"${FILES_WITH_INCORRECT_PERMS[@]}" | ||
| 152 | do | ||
| 153 | » RPM_PACKAGE=$(rpm·-qf·"$FILE_PATH") | ||
| 154 | » SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}"·"$RPM_PACKAGE") | ||
| 155 | done | ||
| 156 | #·Remove·duplicate·mention·of·same·RPM·in·$SETPERMS_RPM_LIST·(if·any) | ||
| 157 | SETPERMS_RPM_LIST=(·$(echo·"${SETPERMS_RPM_LIST[@]}"·|·tr·'·'·'\n'·|·sort·-u·|·tr·'\n'·'·')·) | ||
| 158 | #·For·each·of·the·RPM·packages·left·in·the·list·--·reset·its·permissions·to·the | ||
| 159 | #·correct·values | ||
| 160 | for·RPM_PACKAGE·in·"${SETPERMS_RPM_LIST[@]}" | ||
| 161 | do | ||
| 162 | » rpm·--setperms·"${RPM_PACKAGE}" | ||
| 163 | done | ||
| 164 | #·END·fix·for·'rpm_verify_permissions' | ||
| 165 | ############################################################################### | ||
| 166 | #·BEGIN·fix·(7·/·94)·for·'rpm_verify_hashes' | ||
| 167 | ############################################################################### | ||
| 168 | (>&2·echo·"Remediating·rule·7/94:·'rpm_verify_hashes'") | ||
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 170 | #·END·fix·for·'rpm_verify_hashes' | ||
| 171 | ############################################################################### | ||
| 172 | #·BEGIN·fix·(8·/·94)·for·'package_aide_installed' | ||
| 173 | ############################################################################### | ||
| 174 | (>&2·echo·"Remediating·rule·8/94:·'package_aide_installed'") | ||
| 175 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 176 | # | ||
| 177 | #·Example·Call(s): | ||
| 178 | # | ||
| 179 | #·····package_install·aide | ||
| 180 | # | ||
| 181 | function·package_install·{ | ||
| 182 | #·Load·function·arguments·into·local·variables | ||
| 183 | local·package="$1" | ||
| 184 | #·Check·sanity·of·the·input | ||
| 185 | if·[·$#·-ne·"1"·] | ||
| 186 | then | ||
| 187 | ··echo·"Usage:·package_install·'package_name'" | ||
| 188 | ··echo·"Aborting." | ||
| 189 | ··exit·1 | ||
| 190 | fi | ||
| 191 | if·which·dnf·;·then | ||
| 192 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 193 | ····dnf·install·-y·"$package" | ||
| 194 | ··fi | ||
| 195 | elif·which·yum·;·then | ||
| 196 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 197 | ····yum·install·-y·"$package" | ||
| 198 | ··fi | ||
| 199 | elif·which·apt-get·;·then | ||
| 200 | ··apt-get·install·-y·"$package" | ||
| 201 | else | ||
| 202 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 203 | ··echo·"Aborting." | ||
| 204 | ··exit·1 | ||
| 205 | fi | ||
| 206 | } | ||
| 207 | package_install·aide | ||
| 208 | #·END·fix·for·'package_aide_installed' | ||
| 209 | ############################################################################### | ||
| 210 | #·BEGIN·fix·(9·/·94)·for·'aide_periodic_cron_checking' | ||
| 211 | ############################################################################### | ||
| Max diff block lines reached; 178241/199543 bytes (89.32%) of diff not shown. | |||
| Offset 18, 120 lines modified | Offset 18, 38 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·94)·for·'service_ | 24 | #·BEGIN·fix·(1·/·94)·for·'service_rlogin_disabled' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/94:·'service_ | 26 | (>&2·echo·"Remediating·rule·1/94:·'service_rlogin_disabled'") |
| 27 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 28 | # | ||
| 29 | #·Example·Call(s): | ||
| 30 | # | ||
| 31 | #·····service_command·enable·bluetooth | ||
| 32 | #·····service_command·disable·bluetooth.service | ||
| 33 | # | ||
| 34 | #·····Using·xinetd: | ||
| 35 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 36 | # | ||
| 37 | function·service_command·{ | ||
| 38 | #·Load·function·arguments·into·local·variables | ||
| 39 | local·service_state=$1 | ||
| 40 | local·service=$2 | ||
| 41 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 42 | #·Check·sanity·of·the·input | ||
| 43 | if·[·$#·-lt·"2"·] | ||
| 44 | then | ||
| 45 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 46 | ··echo | ||
| 47 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 48 | ··echo·"as·the·last·argument"·· | ||
| 49 | ··echo·"Aborting." | ||
| 50 | ··exit·1 | ||
| 51 | fi | ||
| 52 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 53 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 54 | ··service_util="/usr/bin/systemctl" | ||
| 55 | else | ||
| 56 | ··service_util="/sbin/service" | ||
| 57 | ··chkconfig_util="/sbin/chkconfig" | ||
| 58 | fi | ||
| 59 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 60 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 61 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 62 | ··service_state="enable" | ||
| 63 | ··service_operation="start" | ||
| 64 | ··chkconfig_state="on" | ||
| 65 | else | ||
| 66 | ··service_state="disable" | ||
| 67 | ··service_operation="stop" | ||
| 68 | ··chkconfig_state="off" | ||
| 69 | fi | ||
| 70 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 71 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 72 | ··$service_util·$service·$service_operation | ||
| 73 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 74 | else | ||
| 75 | ··$service_util·$service_operation·$service | ||
| 76 | ··$service_util·$service_state·$service | ||
| 77 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 78 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 79 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 80 | ··$service_util·reset-failed·$service | ||
| 81 | fi | ||
| 82 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 83 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 84 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 85 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 86 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 87 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 88 | ··else | ||
| 89 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 90 | ··fi | ||
| 91 | fi | ||
| 92 | } | ||
| 93 | service_command·disable·atd | ||
| 94 | #·END·fix·for·'service_atd_disabled' | ||
| 95 | ############################################################################### | ||
| 96 | #·BEGIN·fix·(2·/·94)·for·'service_rlogin_disabled' | ||
| 97 | ############################################################################### | ||
| 98 | (>&2·echo·"Remediating·rule·2/94:·'service_rlogin_disabled'") | ||
| 99 | #·FIX·FOR·THIS·RULE·IS·MISSING | 27 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 100 | #·END·fix·for·'service_rlogin_disabled' | 28 | #·END·fix·for·'service_rlogin_disabled' |
| 101 | ############################################################################### | 29 | ############################################################################### |
| 102 | #·BEGIN·fix·( | 30 | #·BEGIN·fix·(2·/·94)·for·'service_rexec_disabled' |
| 103 | ############################################################################### | 31 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule· | 32 | (>&2·echo·"Remediating·rule·2/94:·'service_rexec_disabled'") |
| 105 | #·FIX·FOR·THIS·RULE·IS·MISSING | 33 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 106 | #·END·fix·for·'service_rexec_disabled' | 34 | #·END·fix·for·'service_rexec_disabled' |
| 107 | ############################################################################### | 35 | ############################################################################### |
| 108 | #·BEGIN·fix·( | 36 | #·BEGIN·fix·(3·/·94)·for·'service_rsh_disabled' |
| 109 | ############################################################################### | 37 | ############################################################################### |
| 110 | (>&2·echo·"Remediating·rule· | 38 | (>&2·echo·"Remediating·rule·3/94:·'service_rsh_disabled'") |
| 111 | #·FIX·FOR·THIS·RULE·IS·MISSING | 39 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 112 | #·END·fix·for·'service_rsh_disabled' | 40 | #·END·fix·for·'service_rsh_disabled' |
| 113 | ############################################################################### | 41 | ############################################################################### |
| 114 | #·BEGIN·fix·( | 42 | #·BEGIN·fix·(4·/·94)·for·'package_rsh-server_removed' |
| 115 | ############################################################################### | 43 | ############################################################################### |
| 116 | (>&2·echo·"Remediating·rule· | 44 | (>&2·echo·"Remediating·rule·4/94:·'package_rsh-server_removed'") |
| 117 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 45 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 118 | # | 46 | # |
| 119 | #·Example·Call(s): | 47 | #·Example·Call(s): |
| 120 | # | 48 | # |
| 121 | #·····package_remove·telnet-server | 49 | #·····package_remove·telnet-server |
| 122 | # | 50 | # |
| 123 | function·package_remove·{ | 51 | function·package_remove·{ |
| Offset 165, 17 lines modified | Offset 83, 17 lines modified | ||
| 165 | } | 83 | } |
| 166 | package_remove·rsh-server | 84 | package_remove·rsh-server |
| 167 | #·END·fix·for·'package_rsh-server_removed' | 85 | #·END·fix·for·'package_rsh-server_removed' |
| Max diff block lines reached; 82251/87188 bytes (94.34%) of diff not shown. | |||
| Offset 19, 24 lines modified | Offset 19, 17 lines modified | ||
| 19 | # | 19 | # |
| 20 | #·How·to·apply·this·remediation·role: | 20 | #·How·to·apply·this·remediation·role: |
| 21 | #·$·sudo·./remediation-role.sh | 21 | #·$·sudo·./remediation-role.sh |
| 22 | # | 22 | # |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | ############################################################################### | 24 | ############################################################################### |
| 25 | #·BEGIN·fix·(1·/·186)·for·'s | 25 | #·BEGIN·fix·(1·/·186)·for·'service_ntpd_enabled' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/186:·'s | 27 | (>&2·echo·"Remediating·rule·1/186:·'service_ntpd_enabled'") |
| 28 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 29 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 30 | ############################################################################### | ||
| 31 | #·BEGIN·fix·(2·/·186)·for·'service_ntpd_enabled' | ||
| 32 | ############################################################################### | ||
| 33 | (>&2·echo·"Remediating·rule·2/186:·'service_ntpd_enabled'") | ||
| 34 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 35 | # | 29 | # |
| 36 | #·Example·Call(s): | 30 | #·Example·Call(s): |
| 37 | # | 31 | # |
| 38 | #·····service_command·enable·bluetooth | 32 | #·····service_command·enable·bluetooth |
| 39 | #·····service_command·disable·bluetooth.service | 33 | #·····service_command·disable·bluetooth.service |
| 40 | # | 34 | # |
| Offset 108, 260 lines modified | Offset 101, 45 lines modified | ||
| 108 | } | 101 | } |
| 109 | service_command·enable·ntpd | 102 | service_command·enable·ntpd |
| 110 | #·END·fix·for·'service_ntpd_enabled' | 103 | #·END·fix·for·'service_ntpd_enabled' |
| 111 | ############################################################################### | 104 | ############################################################################### |
| 112 | #·BEGIN·fix·( | 105 | #·BEGIN·fix·(2·/·186)·for·'ntpd_specify_remote_server' |
| 113 | ############################################################################### | 106 | ############################################################################### |
| 114 | (>&2·echo·"Remediating·rule· | 107 | (>&2·echo·"Remediating·rule·2/186:·'ntpd_specify_remote_server'") |
| 115 | #·FIX·FOR·THIS·RULE·IS·MISSING | 108 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 116 | #·END·fix·for·'ntpd_specify_remote_server' | 109 | #·END·fix·for·'ntpd_specify_remote_server' |
| 117 | ############################################################################### | 110 | ############################################################################### |
| 118 | #·BEGIN·fix·( | 111 | #·BEGIN·fix·(3·/·186)·for·'service_rlogin_disabled' |
| 119 | ############################################################################### | ||
| 120 | (>&2·echo·"Remediating·rule·4/186:·'service_crond_enabled'") | ||
| 121 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 122 | # | ||
| 123 | #·Example·Call(s): | ||
| 124 | # | ||
| 125 | #·····service_command·enable·bluetooth | ||
| 126 | #·····service_command·disable·bluetooth.service | ||
| 127 | # | ||
| 128 | #·····Using·xinetd: | ||
| 129 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 130 | # | ||
| 131 | function·service_command·{ | ||
| 132 | #·Load·function·arguments·into·local·variables | ||
| 133 | local·service_state=$1 | ||
| 134 | local·service=$2 | ||
| 135 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 136 | #·Check·sanity·of·the·input | ||
| 137 | if·[·$#·-lt·"2"·] | ||
| 138 | then | ||
| 139 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 140 | ··echo | ||
| 141 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 142 | ··echo·"as·the·last·argument"·· | ||
| 143 | ··echo·"Aborting." | ||
| 144 | ··exit·1 | ||
| 145 | fi | ||
| 146 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 147 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 148 | ··service_util="/usr/bin/systemctl" | ||
| 149 | else | ||
| 150 | ··service_util="/sbin/service" | ||
| 151 | ··chkconfig_util="/sbin/chkconfig" | ||
| 152 | fi | ||
| 153 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 154 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 155 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 156 | ··service_state="enable" | ||
| 157 | ··service_operation="start" | ||
| 158 | ··chkconfig_state="on" | ||
| 159 | else | ||
| 160 | ··service_state="disable" | ||
| 161 | ··service_operation="stop" | ||
| 162 | ··chkconfig_state="off" | ||
| 163 | fi | ||
| 164 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 165 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 166 | ··$service_util·$service·$service_operation | ||
| 167 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 168 | else | ||
| 169 | ··$service_util·$service_operation·$service | ||
| 170 | ··$service_util·$service_state·$service | ||
| 171 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 172 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 173 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 174 | ··$service_util·reset-failed·$service | ||
| 175 | fi | ||
| 176 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 177 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 178 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 179 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 180 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 181 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 182 | ··else | ||
| 183 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 184 | ··fi | ||
| 185 | fi | ||
| 186 | } | ||
| 187 | service_command·enable·crond | ||
| 188 | #·END·fix·for·'service_crond_enabled' | ||
| 189 | ############################################################################### | ||
| 190 | #·BEGIN·fix·(5·/·186)·for·'service_atd_disabled' | ||
| 191 | ############################################################################### | ||
| 192 | (>&2·echo·"Remediating·rule·5/186:·'service_atd_disabled'") | ||
| 193 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 194 | # | ||
| 195 | #·Example·Call(s): | ||
| Max diff block lines reached; 435598/444374 bytes (98.03%) of diff not shown. | |||
| Offset 109, 202 lines modified | Offset 109, 38 lines modified | ||
| 109 | #·BEGIN·fix·(2·/·182)·for·'ntpd_specify_remote_server' | 109 | #·BEGIN·fix·(2·/·182)·for·'ntpd_specify_remote_server' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | (>&2·echo·"Remediating·rule·2/182:·'ntpd_specify_remote_server'") | 111 | (>&2·echo·"Remediating·rule·2/182:·'ntpd_specify_remote_server'") |
| 112 | #·FIX·FOR·THIS·RULE·IS·MISSING | 112 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 113 | #·END·fix·for·'ntpd_specify_remote_server' | 113 | #·END·fix·for·'ntpd_specify_remote_server' |
| 114 | ############################################################################### | 114 | ############################################################################### |
| 115 | #·BEGIN·fix·(3·/·182)·for·'service_ | 115 | #·BEGIN·fix·(3·/·182)·for·'service_rlogin_disabled' |
| 116 | ############################################################################### | 116 | ############################################################################### |
| 117 | (>&2·echo·"Remediating·rule·3/182:·'service_ | 117 | (>&2·echo·"Remediating·rule·3/182:·'service_rlogin_disabled'") |
| 118 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 119 | # | ||
| 120 | #·Example·Call(s): | ||
| 121 | # | ||
| 122 | #·····service_command·enable·bluetooth | ||
| 123 | #·····service_command·disable·bluetooth.service | ||
| 124 | # | ||
| 125 | #·····Using·xinetd: | ||
| 126 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 127 | # | ||
| 128 | function·service_command·{ | ||
| 129 | #·Load·function·arguments·into·local·variables | ||
| 130 | local·service_state=$1 | ||
| 131 | local·service=$2 | ||
| 132 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 133 | #·Check·sanity·of·the·input | ||
| 134 | if·[·$#·-lt·"2"·] | ||
| 135 | then | ||
| 136 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 137 | ··echo | ||
| 138 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 139 | ··echo·"as·the·last·argument"·· | ||
| 140 | ··echo·"Aborting." | ||
| 141 | ··exit·1 | ||
| 142 | fi | ||
| 143 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 144 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 145 | ··service_util="/usr/bin/systemctl" | ||
| 146 | else | ||
| 147 | ··service_util="/sbin/service" | ||
| 148 | ··chkconfig_util="/sbin/chkconfig" | ||
| 149 | fi | ||
| 150 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 151 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 152 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 153 | ··service_state="enable" | ||
| 154 | ··service_operation="start" | ||
| 155 | ··chkconfig_state="on" | ||
| 156 | else | ||
| 157 | ··service_state="disable" | ||
| 158 | ··service_operation="stop" | ||
| 159 | ··chkconfig_state="off" | ||
| 160 | fi | ||
| 161 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 162 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 163 | ··$service_util·$service·$service_operation | ||
| 164 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 165 | else | ||
| 166 | ··$service_util·$service_operation·$service | ||
| 167 | ··$service_util·$service_state·$service | ||
| 168 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 169 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 170 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 171 | ··$service_util·reset-failed·$service | ||
| 172 | fi | ||
| 173 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 174 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 175 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 176 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 177 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 178 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 179 | ··else | ||
| 180 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 181 | ··fi | ||
| 182 | fi | ||
| 183 | } | ||
| 184 | service_command·enable·crond | ||
| 185 | #·END·fix·for·'service_crond_enabled' | ||
| 186 | ############################################################################### | ||
| 187 | #·BEGIN·fix·(4·/·182)·for·'service_atd_disabled' | ||
| 188 | ############################################################################### | ||
| 189 | (>&2·echo·"Remediating·rule·4/182:·'service_atd_disabled'") | ||
| 190 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 191 | # | ||
| 192 | #·Example·Call(s): | ||
| 193 | # | ||
| 194 | #·····service_command·enable·bluetooth | ||
| 195 | #·····service_command·disable·bluetooth.service | ||
| 196 | # | ||
| 197 | #·····Using·xinetd: | ||
| 198 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 199 | # | ||
| 200 | function·service_command·{ | ||
| 201 | #·Load·function·arguments·into·local·variables | ||
| 202 | local·service_state=$1 | ||
| 203 | local·service=$2 | ||
| 204 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 205 | #·Check·sanity·of·the·input | ||
| 206 | if·[·$#·-lt·"2"·] | ||
| 207 | then | ||
| 208 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 209 | ··echo | ||
| 210 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 211 | ··echo·"as·the·last·argument"·· | ||
| 212 | ··echo·"Aborting." | ||
| 213 | ··exit·1 | ||
| 214 | fi | ||
| 215 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 216 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 217 | ··service_util="/usr/bin/systemctl" | ||
| 218 | else | ||
| 219 | ··service_util="/sbin/service" | ||
| 220 | ··chkconfig_util="/sbin/chkconfig" | ||
| 221 | fi | ||
| Max diff block lines reached; 433117/439084 bytes (98.64%) of diff not shown. | |||
| Offset 25, 38 lines modified | Offset 25, 31 lines modified | ||
| 25 | # | 25 | # |
| 26 | #·How·to·apply·this·remediation·role: | 26 | #·How·to·apply·this·remediation·role: |
| 27 | #·$·sudo·./remediation-role.sh | 27 | #·$·sudo·./remediation-role.sh |
| 28 | # | 28 | # |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | #·BEGIN·fix·(1·/·250)·for·'ftp_ | 31 | #·BEGIN·fix·(1·/·250)·for·'ftp_present_banner' |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | (>&2·echo·"Remediating·rule·1/250:·'ftp_ | 33 | (>&2·echo·"Remediating·rule·1/250:·'ftp_present_banner'") |
| 34 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 35 | #·END·fix·for·'ftp_log_transactions' | ||
| 36 | ############################################################################### | ||
| 37 | #·BEGIN·fix·(2·/·250)·for·'ftp_present_banner' | ||
| 38 | ############################################################################### | ||
| 39 | (>&2·echo·"Remediating·rule·2/250:·'ftp_present_banner'") | ||
| 40 | #·FIX·FOR·THIS·RULE·IS·MISSING | 34 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 41 | #·END·fix·for·'ftp_present_banner' | 35 | #·END·fix·for·'ftp_present_banner' |
| 42 | ############################################################################### | 36 | ############################################################################### |
| 43 | #·BEGIN·fix·( | 37 | #·BEGIN·fix·(2·/·250)·for·'ftp_log_transactions' |
| 44 | ############################################################################### | 38 | ############################################################################### |
| 45 | (>&2·echo·"Remediating·rule· | 39 | (>&2·echo·"Remediating·rule·2/250:·'ftp_log_transactions'") |
| 46 | #·FIX·FOR·THIS·RULE·IS·MISSING | 40 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 47 | #·END·fix·for·' | 41 | #·END·fix·for·'ftp_log_transactions' |
| 48 | ############################################################################### | 42 | ############################################################################### |
| 49 | #·BEGIN·fix·( | 43 | #·BEGIN·fix·(3·/·250)·for·'service_ntpd_enabled' |
| 50 | ############################################################################### | 44 | ############################################################################### |
| 51 | (>&2·echo·"Remediating·rule· | 45 | (>&2·echo·"Remediating·rule·3/250:·'service_ntpd_enabled'") |
| 52 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 46 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 53 | # | 47 | # |
| 54 | #·Example·Call(s): | 48 | #·Example·Call(s): |
| 55 | # | 49 | # |
| 56 | #·····service_command·enable·bluetooth | 50 | #·····service_command·enable·bluetooth |
| 57 | #·····service_command·disable·bluetooth.service | 51 | #·····service_command·disable·bluetooth.service |
| 58 | # | 52 | # |
| Offset 128, 274 lines modified | Offset 121, 59 lines modified | ||
| 128 | } | 121 | } |
| 129 | service_command·enable·ntpd | 122 | service_command·enable·ntpd |
| 130 | #·END·fix·for·'service_ntpd_enabled' | 123 | #·END·fix·for·'service_ntpd_enabled' |
| 131 | ############################################################################### | 124 | ############################################################################### |
| 132 | #·BEGIN·fix·( | 125 | #·BEGIN·fix·(4·/·250)·for·'ntpd_specify_remote_server' |
| 133 | ############################################################################### | 126 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule· | 127 | (>&2·echo·"Remediating·rule·4/250:·'ntpd_specify_remote_server'") |
| 135 | #·FIX·FOR·THIS·RULE·IS·MISSING | 128 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 136 | #·END·fix·for·'ntpd_specify_remote_server' | 129 | #·END·fix·for·'ntpd_specify_remote_server' |
| 137 | ############################################################################### | 130 | ############################################################################### |
| 138 | #·BEGIN·fix·( | 131 | #·BEGIN·fix·(5·/·250)·for·'snmpd_use_newer_protocol' |
| 139 | ############################################################################### | 132 | ############################################################################### |
| 140 | (>&2·echo·"Remediating·rule· | 133 | (>&2·echo·"Remediating·rule·5/250:·'snmpd_use_newer_protocol'") |
| 141 | #·FIX·FOR·THIS·RULE·IS·MISSING | 134 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 142 | #·END·fix·for·'snmpd_use_newer_protocol' | 135 | #·END·fix·for·'snmpd_use_newer_protocol' |
| 143 | ############################################################################### | 136 | ############################################################################### |
| 144 | #·BEGIN·fix·( | 137 | #·BEGIN·fix·(6·/·250)·for·'snmpd_not_default_password' |
| 145 | ############################################################################### | 138 | ############################################################################### |
| 146 | (>&2·echo·"Remediating·rule· | 139 | (>&2·echo·"Remediating·rule·6/250:·'snmpd_not_default_password'") |
| 147 | #·FIX·FOR·THIS·RULE·IS·MISSING | 140 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 148 | #·END·fix·for·'snmpd_not_default_password' | 141 | #·END·fix·for·'snmpd_not_default_password' |
| 149 | ############################################################################### | 142 | ############################################################################### |
| 150 | #·BEGIN·fix·( | 143 | #·BEGIN·fix·(7·/·250)·for·'service_rlogin_disabled' |
| 151 | ############################################################################### | ||
| 152 | (>&2·echo·"Remediating·rule·8/250:·'service_crond_enabled'") | ||
| 153 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 154 | # | ||
| 155 | #·Example·Call(s): | ||
| 156 | # | ||
| 157 | #·····service_command·enable·bluetooth | ||
| 158 | #·····service_command·disable·bluetooth.service | ||
| 159 | # | ||
| 160 | #·····Using·xinetd: | ||
| 161 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 162 | # | ||
| 163 | function·service_command·{ | ||
| 164 | #·Load·function·arguments·into·local·variables | ||
| 165 | local·service_state=$1 | ||
| 166 | local·service=$2 | ||
| 167 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 168 | #·Check·sanity·of·the·input | ||
| 169 | if·[·$#·-lt·"2"·] | ||
| 170 | then | ||
| 171 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 172 | ··echo | ||
| 173 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 174 | ··echo·"as·the·last·argument"·· | ||
| 175 | ··echo·"Aborting." | ||
| 176 | ··exit·1 | ||
| 177 | fi | ||
| 178 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 179 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 180 | ··service_util="/usr/bin/systemctl" | ||
| 181 | else | ||
| 182 | ··service_util="/sbin/service" | ||
| 183 | ··chkconfig_util="/sbin/chkconfig" | ||
| 184 | fi | ||
| 185 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 186 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 187 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 188 | ··service_state="enable" | ||
| 189 | ··service_operation="start" | ||
| 190 | ··chkconfig_state="on" | ||
| 191 | else | ||
| 192 | ··service_state="disable" | ||
| 193 | ··service_operation="stop" | ||
| 194 | ··chkconfig_state="off" | ||
| 195 | fi | ||
| 196 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 197 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 198 | ··$service_util·$service·$service_operation | ||
| 199 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 200 | else | ||
| 201 | ··$service_util·$service_operation·$service | ||
| 202 | ··$service_util·$service_state·$service | ||
| 203 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 204 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| Max diff block lines reached; 606625/617308 bytes (98.27%) of diff not shown. | |||
| Offset 271, 143 lines modified | Offset 271, 17 lines modified | ||
| 271 | } | 271 | } |
| 272 | package_remove·httpd | 272 | package_remove·httpd |
| 273 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 274 | ############################################################################### | 274 | ############################################################################### |
| 275 | #·BEGIN·fix·(5·/·223)·for·' | 275 | #·BEGIN·fix·(5·/·223)·for·'service_ntpd_enabled' |
| 276 | ############################################################################### | 276 | ############################################################################### |
| 277 | (>&2·echo·"Remediating·rule·5/223:·' | 277 | (>&2·echo·"Remediating·rule·5/223:·'service_ntpd_enabled'") |
| 278 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 279 | # | ||
| 280 | #·Example·Call(s): | ||
| 281 | # | ||
| 282 | #·····package_remove·telnet-server | ||
| 283 | # | ||
| 284 | function·package_remove·{ | ||
| 285 | #·Load·function·arguments·into·local·variables | ||
| 286 | local·package="$1" | ||
| 287 | #·Check·sanity·of·the·input | ||
| 288 | if·[·$#·-ne·"1"·] | ||
| 289 | then | ||
| 290 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 291 | ··echo·"Aborting." | ||
| 292 | ··exit·1 | ||
| 293 | fi | ||
| 294 | if·which·dnf·;·then | ||
| 295 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 296 | ····dnf·remove·-y·"$package" | ||
| 297 | ··fi | ||
| 298 | elif·which·yum·;·then | ||
| 299 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 300 | ····yum·remove·-y·"$package" | ||
| 301 | ··fi | ||
| 302 | elif·which·apt-get·;·then | ||
| 303 | ··apt-get·remove·-y·"$package" | ||
| 304 | else | ||
| 305 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 306 | ··echo·"Aborting." | ||
| 307 | ··exit·1 | ||
| 308 | fi | ||
| 309 | } | ||
| 310 | package_remove·dhcp | ||
| 311 | #·END·fix·for·'package_dhcp_removed' | ||
| 312 | ############################################################################### | ||
| 313 | #·BEGIN·fix·(6·/·223)·for·'service_dhcpd_disabled' | ||
| 314 | ############################################################################### | ||
| 315 | (>&2·echo·"Remediating·rule·6/223:·'service_dhcpd_disabled'") | ||
| 316 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 317 | # | ||
| 318 | #·Example·Call(s): | ||
| 319 | # | ||
| 320 | #·····service_command·enable·bluetooth | ||
| 321 | #·····service_command·disable·bluetooth.service | ||
| 322 | # | ||
| 323 | #·····Using·xinetd: | ||
| 324 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 325 | # | ||
| 326 | function·service_command·{ | ||
| 327 | #·Load·function·arguments·into·local·variables | ||
| 328 | local·service_state=$1 | ||
| 329 | local·service=$2 | ||
| 330 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 331 | #·Check·sanity·of·the·input | ||
| 332 | if·[·$#·-lt·"2"·] | ||
| 333 | then | ||
| 334 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 335 | ··echo | ||
| 336 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 337 | ··echo·"as·the·last·argument"·· | ||
| 338 | ··echo·"Aborting." | ||
| 339 | ··exit·1 | ||
| 340 | fi | ||
| 341 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 342 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 343 | ··service_util="/usr/bin/systemctl" | ||
| 344 | else | ||
| 345 | ··service_util="/sbin/service" | ||
| 346 | ··chkconfig_util="/sbin/chkconfig" | ||
| 347 | fi | ||
| 348 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 349 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 350 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 351 | ··service_state="enable" | ||
| 352 | ··service_operation="start" | ||
| 353 | ··chkconfig_state="on" | ||
| 354 | else | ||
| 355 | ··service_state="disable" | ||
| 356 | ··service_operation="stop" | ||
| 357 | ··chkconfig_state="off" | ||
| 358 | fi | ||
| 359 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 360 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 361 | ··$service_util·$service·$service_operation | ||
| 362 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 363 | else | ||
| 364 | ··$service_util·$service_operation·$service | ||
| 365 | ··$service_util·$service_state·$service | ||
| 366 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 367 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 368 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 369 | ··$service_util·reset-failed·$service | ||
| 370 | fi | ||
| 371 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 372 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 373 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 374 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 375 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 376 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 377 | ··else | ||
| 378 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 379 | ··fi | ||
| 380 | fi | ||
| Max diff block lines reached; 492856/497138 bytes (99.14%) of diff not shown. | |||
| Offset 90, 48 lines modified | Offset 90, 48 lines modified | ||
| 90 | # | 90 | # |
| 91 | #·Stop·rlogin.socket·if·currently·running | 91 | #·Stop·rlogin.socket·if·currently·running |
| 92 | # | 92 | # |
| 93 | systemctl·stop·rlogin.socket | 93 | systemctl·stop·rlogin.socket |
| 94 | #·END·fix·for·'service_rlogin_disabled' | 94 | #·END·fix·for·'service_rlogin_disabled' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | #·BEGIN·fix·(3·/·213)·for·'service_r | 96 | #·BEGIN·fix·(3·/·213)·for·'service_rsh_disabled' |
| 97 | ############################################################################### | 97 | ############################################################################### |
| 98 | (>&2·echo·"Remediating·rule·3/213:·'service_r | 98 | (>&2·echo·"Remediating·rule·3/213:·'service_rsh_disabled'") |
| 99 | grep·-qi·disable·/etc/xinetd.d/r | 99 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 100 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 100 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 101 | # | 101 | # |
| 102 | #·Disable·r | 102 | #·Disable·rsh.socket·for·all·systemd·targets |
| 103 | # | 103 | # |
| 104 | systemctl·disable·r | 104 | systemctl·disable·rsh.socket |
| 105 | # | 105 | # |
| 106 | #·Stop·r | 106 | #·Stop·rsh.socket·if·currently·running |
| 107 | # | 107 | # |
| 108 | systemctl·stop·r | 108 | systemctl·stop·rsh.socket |
| 109 | #·END·fix·for·'service_r | 109 | #·END·fix·for·'service_rsh_disabled' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | #·BEGIN·fix·(4·/·213)·for·'service_r | 111 | #·BEGIN·fix·(4·/·213)·for·'service_rexec_disabled' |
| 112 | ############################################################################### | 112 | ############################################################################### |
| 113 | (>&2·echo·"Remediating·rule·4/213:·'service_r | 113 | (>&2·echo·"Remediating·rule·4/213:·'service_rexec_disabled'") |
| 114 | grep·-qi·disable·/etc/xinetd.d/r | 114 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 115 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 115 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 116 | # | 116 | # |
| 117 | #·Disable·r | 117 | #·Disable·rexec.socket·for·all·systemd·targets |
| 118 | # | 118 | # |
| 119 | systemctl·disable·r | 119 | systemctl·disable·rexec.socket |
| 120 | # | 120 | # |
| 121 | #·Stop·r | 121 | #·Stop·rexec.socket·if·currently·running |
| 122 | # | 122 | # |
| 123 | systemctl·stop·r | 123 | systemctl·stop·rexec.socket |
| 124 | #·END·fix·for·'service_r | 124 | #·END·fix·for·'service_rexec_disabled' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | #·BEGIN·fix·(5·/·213)·for·'no_rsh_trust_files' | 126 | #·BEGIN·fix·(5·/·213)·for·'no_rsh_trust_files' |
| 127 | ############################################################################### | 127 | ############################################################################### |
| 128 | (>&2·echo·"Remediating·rule·5/213:·'no_rsh_trust_files'") | 128 | (>&2·echo·"Remediating·rule·5/213:·'no_rsh_trust_files'") |
| 129 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; | 129 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; |
| Offset 369, 61 lines modified | Offset 369, 17 lines modified | ||
| 369 | } | 369 | } |
| 370 | service_command·disable·tftp | 370 | service_command·disable·tftp |
| 371 | #·END·fix·for·'service_tftp_disabled' | 371 | #·END·fix·for·'service_tftp_disabled' |
| 372 | ############################################################################### | 372 | ############################################################################### |
| 373 | #·BEGIN·fix·(11·/·213)·for·' | 373 | #·BEGIN·fix·(11·/·213)·for·'service_xinetd_disabled' |
| 374 | ############################################################################### | ||
| 375 | (>&2·echo·"Remediating·rule·11/213:·'package_tcp_wrappers_installed'") | ||
| 376 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 377 | # | ||
| 378 | #·Example·Call(s): | ||
| 379 | # | ||
| 380 | #·····package_install·aide | ||
| 381 | # | ||
| 382 | function·package_install·{ | ||
| 383 | #·Load·function·arguments·into·local·variables | ||
| 384 | local·package="$1" | ||
| 385 | #·Check·sanity·of·the·input | ||
| 386 | if·[·$#·-ne·"1"·] | ||
| 387 | then | ||
| 388 | ··echo·"Usage:·package_install·'package_name'" | ||
| 389 | ··echo·"Aborting." | ||
| 390 | ··exit·1 | ||
| 391 | fi | ||
| 392 | if·which·dnf·;·then | ||
| 393 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 394 | ····dnf·install·-y·"$package" | ||
| 395 | ··fi | ||
| 396 | elif·which·yum·;·then | ||
| 397 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 398 | ····yum·install·-y·"$package" | ||
| 399 | ··fi | ||
| 400 | elif·which·apt-get·;·then | ||
| 401 | ··apt-get·install·-y·"$package" | ||
| 402 | else | ||
| 403 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 404 | ··echo·"Aborting." | ||
| 405 | ··exit·1 | ||
| 406 | fi | ||
| 407 | } | ||
| 408 | package_install·tcp_wrappers | ||
| 409 | #·END·fix·for·'package_tcp_wrappers_installed' | ||
| 410 | ############################################################################### | ||
| 411 | #·BEGIN·fix·(12·/·213)·for·'service_xinetd_disabled' | ||
| 412 | ############################################################################### | 374 | ############################################################################### |
| 413 | (>&2·echo·"Remediating·rule·1 | 375 | (>&2·echo·"Remediating·rule·11/213:·'service_xinetd_disabled'") |
| 414 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 376 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 415 | # | 377 | # |
| 416 | #·Example·Call(s): | 378 | #·Example·Call(s): |
| 417 | # | 379 | # |
| 418 | #·····service_command·enable·bluetooth | 380 | #·····service_command·enable·bluetooth |
| 419 | #·····service_command·disable·bluetooth.service | 381 | #·····service_command·disable·bluetooth.service |
| 420 | # | 382 | # |
| Offset 495, 14 lines modified | Offset 451, 58 lines modified | ||
| 495 | } | 451 | } |
| 496 | service_command·disable·xinetd | 452 | service_command·disable·xinetd |
| 497 | #·END·fix·for·'service_xinetd_disabled' | 453 | #·END·fix·for·'service_xinetd_disabled' |
| 498 | ############################################################################### | 454 | ############################################################################### |
| 455 | #·BEGIN·fix·(12·/·213)·for·'package_tcp_wrappers_installed' | ||
| 456 | ############################################################################### | ||
| 457 | (>&2·echo·"Remediating·rule·12/213:·'package_tcp_wrappers_installed'") | ||
| 458 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 459 | # | ||
| 460 | #·Example·Call(s): | ||
| 461 | # | ||
| 462 | #·····package_install·aide | ||
| 463 | # | ||
| Max diff block lines reached; 140250/145947 bytes (96.10%) of diff not shown. | |||
| Offset 969, 28 lines modified | Offset 969, 28 lines modified | ||
| 969 | ··fi | 969 | ··fi |
| 970 | } | 970 | } |
| 971 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_source_route'·"$sysctl_net_ipv4_conf_default_accept_source_route_value"·'CCE-80162-1' | 971 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_source_route'·"$sysctl_net_ipv4_conf_default_accept_source_route_value"·'CCE-80162-1' |
| 972 | #·END·fix·for·'sysctl_net_ipv4_conf_default_accept_source_route' | 972 | #·END·fix·for·'sysctl_net_ipv4_conf_default_accept_source_route' |
| 973 | ############################################################################### | 973 | ############################################################################### |
| 974 | #·BEGIN·fix·(15·/·102)·for·'sysctl_net_ipv4_ | 974 | #·BEGIN·fix·(15·/·102)·for·'sysctl_net_ipv4_conf_default_accept_redirects' |
| 975 | ############################################################################### | 975 | ############################################################################### |
| 976 | (>&2·echo·"Remediating·rule·15/102:·'sysctl_net_ipv4_ | 976 | (>&2·echo·"Remediating·rule·15/102:·'sysctl_net_ipv4_conf_default_accept_redirects'") |
| 977 | sysctl_net_ipv4_ | 977 | sysctl_net_ipv4_conf_default_accept_redirects_value="0" |
| 978 | # | 978 | # |
| 979 | #·Set·runtime·for·net.ipv4. | 979 | #·Set·runtime·for·net.ipv4.conf.default.accept_redirects |
| 980 | # | 980 | # |
| 981 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 981 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf.default.accept_redirects=$sysctl_net_ipv4_conf_default_accept_redirects_value |
| 982 | # | 982 | # |
| 983 | #·If·net.ipv4. | 983 | #·If·net.ipv4.conf.default.accept_redirects·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 984 | #» else,·add·"net.ipv4. | 984 | #» else,·add·"net.ipv4.conf.default.accept_redirects·=·value"·to·/etc/sysctl.conf |
| 985 | # | 985 | # |
| 986 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 986 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 987 | #·it·does·not·exist. | 987 | #·it·does·not·exist. |
| 988 | # | 988 | # |
| 989 | #·Expects·arguments: | 989 | #·Expects·arguments: |
| 990 | # | 990 | # |
| 991 | #·config_file:» » Configuration·file·that·will·be·modified | 991 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1062, 32 lines modified | Offset 1062, 32 lines modified | ||
| 1062 | ··else | 1062 | ··else |
| 1063 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1063 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1064 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1064 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1065 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1065 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1066 | ··fi | 1066 | ··fi |
| 1067 | } | 1067 | } |
| 1068 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4. | 1068 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_redirects'·"$sysctl_net_ipv4_conf_default_accept_redirects_value"·'CCE-80163-9' |
| 1069 | #·END·fix·for·'sysctl_net_ipv4_ | 1069 | #·END·fix·for·'sysctl_net_ipv4_conf_default_accept_redirects' |
| 1070 | ############################################################################### | 1070 | ############################################################################### |
| 1071 | #·BEGIN·fix·(16·/·102)·for·'sysctl_net_ipv4_conf_ | 1071 | #·BEGIN·fix·(16·/·102)·for·'sysctl_net_ipv4_conf_all_accept_redirects' |
| 1072 | ############################################################################### | 1072 | ############################################################################### |
| 1073 | (>&2·echo·"Remediating·rule·16/102:·'sysctl_net_ipv4_conf_ | 1073 | (>&2·echo·"Remediating·rule·16/102:·'sysctl_net_ipv4_conf_all_accept_redirects'") |
| 1074 | sysctl_net_ipv4_conf_ | 1074 | sysctl_net_ipv4_conf_all_accept_redirects_value="0" |
| 1075 | # | 1075 | # |
| 1076 | #·Set·runtime·for·net.ipv4.conf. | 1076 | #·Set·runtime·for·net.ipv4.conf.all.accept_redirects |
| 1077 | # | 1077 | # |
| 1078 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf. | 1078 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf.all.accept_redirects=$sysctl_net_ipv4_conf_all_accept_redirects_value |
| 1079 | # | 1079 | # |
| 1080 | #·If·net.ipv4.conf. | 1080 | #·If·net.ipv4.conf.all.accept_redirects·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1081 | #» else,·add·"net.ipv4.conf. | 1081 | #» else,·add·"net.ipv4.conf.all.accept_redirects·=·value"·to·/etc/sysctl.conf |
| 1082 | # | 1082 | # |
| 1083 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1083 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1084 | #·it·does·not·exist. | 1084 | #·it·does·not·exist. |
| 1085 | # | 1085 | # |
| 1086 | #·Expects·arguments: | 1086 | #·Expects·arguments: |
| 1087 | # | 1087 | # |
| 1088 | #·config_file:» » Configuration·file·that·will·be·modified | 1088 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1159, 32 lines modified | Offset 1159, 32 lines modified | ||
| 1159 | ··else | 1159 | ··else |
| 1160 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1160 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1161 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1161 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1162 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1162 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1163 | ··fi | 1163 | ··fi |
| 1164 | } | 1164 | } |
| 1165 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf. | 1165 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.all.accept_redirects'·"$sysctl_net_ipv4_conf_all_accept_redirects_value"·'CCE-80158-9' |
| 1166 | #·END·fix·for·'sysctl_net_ipv4_conf_ | 1166 | #·END·fix·for·'sysctl_net_ipv4_conf_all_accept_redirects' |
| 1167 | ############################################################################### | 1167 | ############################################################################### |
| 1168 | #·BEGIN·fix·(17·/·102)·for·'sysctl_net_ipv4_ | 1168 | #·BEGIN·fix·(17·/·102)·for·'sysctl_net_ipv4_icmp_echo_ignore_broadcasts' |
| 1169 | ############################################################################### | 1169 | ############################################################################### |
| 1170 | (>&2·echo·"Remediating·rule·17/102:·'sysctl_net_ipv4_ | 1170 | (>&2·echo·"Remediating·rule·17/102:·'sysctl_net_ipv4_icmp_echo_ignore_broadcasts'") |
| 1171 | sysctl_net_ipv4_ | 1171 | sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value="1" |
| 1172 | # | 1172 | # |
| 1173 | #·Set·runtime·for·net.ipv4. | 1173 | #·Set·runtime·for·net.ipv4.icmp_echo_ignore_broadcasts |
| 1174 | # | 1174 | # |
| 1175 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 1175 | /sbin/sysctl·-q·-n·-w·net.ipv4.icmp_echo_ignore_broadcasts=$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value |
| 1176 | # | 1176 | # |
| 1177 | #·If·net.ipv4. | 1177 | #·If·net.ipv4.icmp_echo_ignore_broadcasts·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1178 | #» else,·add·"net.ipv4. | 1178 | #» else,·add·"net.ipv4.icmp_echo_ignore_broadcasts·=·value"·to·/etc/sysctl.conf |
| 1179 | # | 1179 | # |
| 1180 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1180 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1181 | #·it·does·not·exist. | 1181 | #·it·does·not·exist. |
| 1182 | # | 1182 | # |
| 1183 | #·Expects·arguments: | 1183 | #·Expects·arguments: |
| 1184 | # | 1184 | # |
| 1185 | #·config_file:» » Configuration·file·that·will·be·modified | 1185 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1256, 32 lines modified | Offset 1256, 32 lines modified | ||
| 1256 | ··else | 1256 | ··else |
| 1257 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1257 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1258 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1258 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1259 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1259 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1260 | ··fi | 1260 | ··fi |
| 1261 | } | 1261 | } |
| 1262 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4. | 1262 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.icmp_echo_ignore_broadcasts'·"$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"·'CCE-80165-4' |
| 1263 | #·END·fix·for·'sysctl_net_ipv4_ | 1263 | #·END·fix·for·'sysctl_net_ipv4_icmp_echo_ignore_broadcasts' |
| 1264 | ############################################################################### | 1264 | ############################################################################### |
| 1265 | #·BEGIN·fix·(18·/·102)·for·'sysctl_net_ipv4_ | 1265 | #·BEGIN·fix·(18·/·102)·for·'sysctl_net_ipv4_tcp_syncookies' |
| 1266 | ############################################################################### | 1266 | ############################################################################### |
| 1267 | (>&2·echo·"Remediating·rule·18/102:·'sysctl_net_ipv4_ | 1267 | (>&2·echo·"Remediating·rule·18/102:·'sysctl_net_ipv4_tcp_syncookies'") |
| 1268 | sysctl_net_ipv4_ | 1268 | sysctl_net_ipv4_tcp_syncookies_value="1" |
| 1269 | # | 1269 | # |
| 1270 | #·Set·runtime·for·net.ipv4. | 1270 | #·Set·runtime·for·net.ipv4.tcp_syncookies |
| 1271 | # | 1271 | # |
| 1272 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 1272 | /sbin/sysctl·-q·-n·-w·net.ipv4.tcp_syncookies=$sysctl_net_ipv4_tcp_syncookies_value |
| 1273 | # | 1273 | # |
| 1274 | #·If·net.ipv4. | 1274 | #·If·net.ipv4.tcp_syncookies·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1275 | #» else,·add·"net.ipv4. | 1275 | #» else,·add·"net.ipv4.tcp_syncookies·=·value"·to·/etc/sysctl.conf |
| 1276 | # | 1276 | # |
| 1277 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1277 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1278 | #·it·does·not·exist. | 1278 | #·it·does·not·exist. |
| 1279 | # | 1279 | # |
| 1280 | #·Expects·arguments: | 1280 | #·Expects·arguments: |
| 1281 | # | 1281 | # |
| 1282 | #·config_file:» » Configuration·file·that·will·be·modified | 1282 | #·config_file:» » Configuration·file·that·will·be·modified |
| Max diff block lines reached; 70926/79104 bytes (89.66%) of diff not shown. | |||
| Offset 88, 48 lines modified | Offset 88, 48 lines modified | ||
| 88 | # | 88 | # |
| 89 | #·Stop·rlogin.socket·if·currently·running | 89 | #·Stop·rlogin.socket·if·currently·running |
| 90 | # | 90 | # |
| 91 | systemctl·stop·rlogin.socket | 91 | systemctl·stop·rlogin.socket |
| 92 | #·END·fix·for·'service_rlogin_disabled' | 92 | #·END·fix·for·'service_rlogin_disabled' |
| 93 | ############################################################################### | 93 | ############################################################################### |
| 94 | #·BEGIN·fix·(3·/·149)·for·'service_r | 94 | #·BEGIN·fix·(3·/·149)·for·'service_rsh_disabled' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | (>&2·echo·"Remediating·rule·3/149:·'service_r | 96 | (>&2·echo·"Remediating·rule·3/149:·'service_rsh_disabled'") |
| 97 | grep·-qi·disable·/etc/xinetd.d/r | 97 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 98 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 98 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 99 | # | 99 | # |
| 100 | #·Disable·r | 100 | #·Disable·rsh.socket·for·all·systemd·targets |
| 101 | # | 101 | # |
| 102 | systemctl·disable·r | 102 | systemctl·disable·rsh.socket |
| 103 | # | 103 | # |
| 104 | #·Stop·r | 104 | #·Stop·rsh.socket·if·currently·running |
| 105 | # | 105 | # |
| 106 | systemctl·stop·r | 106 | systemctl·stop·rsh.socket |
| 107 | #·END·fix·for·'service_r | 107 | #·END·fix·for·'service_rsh_disabled' |
| 108 | ############################################################################### | 108 | ############################################################################### |
| 109 | #·BEGIN·fix·(4·/·149)·for·'service_r | 109 | #·BEGIN·fix·(4·/·149)·for·'service_rexec_disabled' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | (>&2·echo·"Remediating·rule·4/149:·'service_r | 111 | (>&2·echo·"Remediating·rule·4/149:·'service_rexec_disabled'") |
| 112 | grep·-qi·disable·/etc/xinetd.d/r | 112 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 113 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 113 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 114 | # | 114 | # |
| 115 | #·Disable·r | 115 | #·Disable·rexec.socket·for·all·systemd·targets |
| 116 | # | 116 | # |
| 117 | systemctl·disable·r | 117 | systemctl·disable·rexec.socket |
| 118 | # | 118 | # |
| 119 | #·Stop·r | 119 | #·Stop·rexec.socket·if·currently·running |
| 120 | # | 120 | # |
| 121 | systemctl·stop·r | 121 | systemctl·stop·rexec.socket |
| 122 | #·END·fix·for·'service_r | 122 | #·END·fix·for·'service_rexec_disabled' |
| 123 | ############################################################################### | 123 | ############################################################################### |
| 124 | #·BEGIN·fix·(5·/·149)·for·'package_rsh-server_removed' | 124 | #·BEGIN·fix·(5·/·149)·for·'package_rsh-server_removed' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | (>&2·echo·"Remediating·rule·5/149:·'package_rsh-server_removed'") | 126 | (>&2·echo·"Remediating·rule·5/149:·'package_rsh-server_removed'") |
| 127 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 127 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 128 | # | 128 | # |
| Offset 2482, 29 lines modified | Offset 2482, 29 lines modified | ||
| 2482 | ··fi | 2482 | ··fi |
| 2483 | } | 2483 | } |
| 2484 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUXTYPE='·$var_selinux_policy_name·'CCE-27279-9'·'%s=%s' | 2484 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUXTYPE='·$var_selinux_policy_name·'CCE-27279-9'·'%s=%s' |
| 2485 | #·END·fix·for·'selinux_policytype' | 2485 | #·END·fix·for·'selinux_policytype' |
| 2486 | ############################################################################### | 2486 | ############################################################################### |
| 2487 | #·BEGIN·fix·(44·/·149)·for·' | 2487 | #·BEGIN·fix·(44·/·149)·for·'enable_selinux_bootloader' |
| 2488 | ############################################################################### | ||
| 2489 | (>&2·echo·"Remediating·rule·44/149:·'selinux_confinement_of_daemons'") | ||
| 2490 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 2491 | #·END·fix·for·'selinux_confinement_of_daemons' | ||
| 2492 | ############################################################################### | 2488 | ############################################################################### |
| 2493 | 2489 | (>&2·echo·"Remediating·rule·44/149:·'enable_selinux_bootloader'") | |
| 2494 | ############################################################################### | ||
| 2495 | (>&2·echo·"Remediating·rule·45/149:·'enable_selinux_bootloader'") | ||
| 2496 | sed·-i·--follow-symlinks·"s/selinux=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* | 2490 | sed·-i·--follow-symlinks·"s/selinux=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* |
| 2497 | sed·-i·--follow-symlinks·"s/enforcing=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* | 2491 | sed·-i·--follow-symlinks·"s/enforcing=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* |
| 2498 | #·END·fix·for·'enable_selinux_bootloader' | 2492 | #·END·fix·for·'enable_selinux_bootloader' |
| 2499 | ############################################################################### | 2493 | ############################################################################### |
| 2494 | #·BEGIN·fix·(45·/·149)·for·'selinux_confinement_of_daemons' | ||
| 2495 | ############################################################################### | ||
| 2496 | (>&2·echo·"Remediating·rule·45/149:·'selinux_confinement_of_daemons'") | ||
| 2497 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 2498 | #·END·fix·for·'selinux_confinement_of_daemons' | ||
| 2499 | ############################################################################### | ||
| 2500 | #·BEGIN·fix·(46·/·149)·for·'selinux_state' | 2500 | #·BEGIN·fix·(46·/·149)·for·'selinux_state' |
| 2501 | ############################################################################### | 2501 | ############################################################################### |
| 2502 | (>&2·echo·"Remediating·rule·46/149:·'selinux_state'") | 2502 | (>&2·echo·"Remediating·rule·46/149:·'selinux_state'") |
| 2503 | var_selinux_state="enforcing" | 2503 | var_selinux_state="enforcing" |
| 2504 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 2504 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 2505 | #·it·does·not·exist. | 2505 | #·it·does·not·exist. |
| Offset 2587, 35 lines modified | Offset 2587, 35 lines modified | ||
| 2587 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'CCE-27334-2'·'%s=%s' | 2587 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'CCE-27334-2'·'%s=%s' |
| 2588 | fixfiles·onboot | 2588 | fixfiles·onboot |
| 2589 | fixfiles·-f·relabel | 2589 | fixfiles·-f·relabel |
| 2590 | #·END·fix·for·'selinux_state' | 2590 | #·END·fix·for·'selinux_state' |
| 2591 | ############################################################################### | 2591 | ############################################################################### |
| 2592 | #·BEGIN·fix·(47·/·149)·for·' | 2592 | #·BEGIN·fix·(47·/·149)·for·'no_direct_root_logins' |
| 2593 | ############################################################################### | 2593 | ############################################################################### |
| 2594 | (>&2·echo·"Remediating·rule·47/149:·' | 2594 | (>&2·echo·"Remediating·rule·47/149:·'no_direct_root_logins'") |
| 2595 | sed·-i·'/ttyS/d'·/etc/securetty | ||
| 2596 | #·END·fix·for·'restrict_serial_port_logins' | ||
| 2597 | ############################################################################### | ||
| 2598 | #·BEGIN·fix·(48·/·149)·for·'no_direct_root_logins' | ||
| 2599 | ############################################################################### | ||
| 2600 | (>&2·echo·"Remediating·rule·48/149:·'no_direct_root_logins'") | ||
| 2601 | echo·>·/etc/securetty | 2595 | echo·>·/etc/securetty |
| 2602 | #·END·fix·for·'no_direct_root_logins' | 2596 | #·END·fix·for·'no_direct_root_logins' |
| 2603 | ############################################################################### | 2597 | ############################################################################### |
| 2604 | #·BEGIN·fix·(4 | 2598 | #·BEGIN·fix·(48·/·149)·for·'securetty_root_login_console_only' |
| 2605 | ############################################################################### | 2599 | ############################################################################### |
| 2606 | (>&2·echo·"Remediating·rule·4 | 2600 | (>&2·echo·"Remediating·rule·48/149:·'securetty_root_login_console_only'") |
| 2607 | sed·-i·'/^vc\//d'·/etc/securetty | 2601 | sed·-i·'/^vc\//d'·/etc/securetty |
| 2608 | #·END·fix·for·'securetty_root_login_console_only' | 2602 | #·END·fix·for·'securetty_root_login_console_only' |
| 2609 | ############################################################################### | 2603 | ############################################################################### |
| 2604 | #·BEGIN·fix·(49·/·149)·for·'restrict_serial_port_logins' | ||
| 2605 | ############################################################################### | ||
| 2606 | (>&2·echo·"Remediating·rule·49/149:·'restrict_serial_port_logins'") | ||
| 2607 | sed·-i·'/ttyS/d'·/etc/securetty | ||
| 2608 | #·END·fix·for·'restrict_serial_port_logins' | ||
| 2609 | ############################################################################### | ||
| 2610 | #·BEGIN·fix·(50·/·149)·for·'no_empty_passwords' | 2610 | #·BEGIN·fix·(50·/·149)·for·'no_empty_passwords' |
| 2611 | ############################################################################### | 2611 | ############################################################################### |
| 2612 | (>&2·echo·"Remediating·rule·50/149:·'no_empty_passwords'") | 2612 | (>&2·echo·"Remediating·rule·50/149:·'no_empty_passwords'") |
| 2613 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth | 2613 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth |
| 2614 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | 2614 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth |
| 2615 | #·END·fix·for·'no_empty_passwords' | 2615 | #·END·fix·for·'no_empty_passwords' |
| Max diff block lines reached; 121413/128266 bytes (94.66%) of diff not shown. | |||
| Offset 96, 48 lines modified | Offset 96, 48 lines modified | ||
| 96 | # | 96 | # |
| 97 | #·Stop·rlogin.socket·if·currently·running | 97 | #·Stop·rlogin.socket·if·currently·running |
| 98 | # | 98 | # |
| 99 | systemctl·stop·rlogin.socket | 99 | systemctl·stop·rlogin.socket |
| 100 | #·END·fix·for·'service_rlogin_disabled' | 100 | #·END·fix·for·'service_rlogin_disabled' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | #·BEGIN·fix·(3·/·358)·for·'service_r | 102 | #·BEGIN·fix·(3·/·358)·for·'service_rsh_disabled' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule·3/358:·'service_r | 104 | (>&2·echo·"Remediating·rule·3/358:·'service_rsh_disabled'") |
| 105 | grep·-qi·disable·/etc/xinetd.d/r | 105 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 106 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 106 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 107 | # | 107 | # |
| 108 | #·Disable·r | 108 | #·Disable·rsh.socket·for·all·systemd·targets |
| 109 | # | 109 | # |
| 110 | systemctl·disable·r | 110 | systemctl·disable·rsh.socket |
| 111 | # | 111 | # |
| 112 | #·Stop·r | 112 | #·Stop·rsh.socket·if·currently·running |
| 113 | # | 113 | # |
| 114 | systemctl·stop·r | 114 | systemctl·stop·rsh.socket |
| 115 | #·END·fix·for·'service_r | 115 | #·END·fix·for·'service_rsh_disabled' |
| 116 | ############################################################################### | 116 | ############################################################################### |
| 117 | #·BEGIN·fix·(4·/·358)·for·'service_r | 117 | #·BEGIN·fix·(4·/·358)·for·'service_rexec_disabled' |
| 118 | ############################################################################### | 118 | ############################################################################### |
| 119 | (>&2·echo·"Remediating·rule·4/358:·'service_r | 119 | (>&2·echo·"Remediating·rule·4/358:·'service_rexec_disabled'") |
| 120 | grep·-qi·disable·/etc/xinetd.d/r | 120 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 121 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 121 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 122 | # | 122 | # |
| 123 | #·Disable·r | 123 | #·Disable·rexec.socket·for·all·systemd·targets |
| 124 | # | 124 | # |
| 125 | systemctl·disable·r | 125 | systemctl·disable·rexec.socket |
| 126 | # | 126 | # |
| 127 | #·Stop·r | 127 | #·Stop·rexec.socket·if·currently·running |
| 128 | # | 128 | # |
| 129 | systemctl·stop·r | 129 | systemctl·stop·rexec.socket |
| 130 | #·END·fix·for·'service_r | 130 | #·END·fix·for·'service_rexec_disabled' |
| 131 | ############################################################################### | 131 | ############################################################################### |
| 132 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' | 132 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") | 134 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") |
| 135 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 135 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 136 | # | 136 | # |
| Offset 3080, 17 lines modified | Offset 3080, 113 lines modified | ||
| 3080 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' | 3080 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' |
| 3081 | ############################################################################### | 3081 | ############################################################################### |
| 3082 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") | 3082 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") |
| 3083 | #·FIX·FOR·THIS·RULE·IS·MISSING | 3083 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 3084 | #·END·fix·for·'rsyslog_nolisten' | 3084 | #·END·fix·for·'rsyslog_nolisten' |
| 3085 | ############################################################################### | 3085 | ############################################################################### |
| 3086 | #·BEGIN·fix·(59·/·358)·for·'s | 3086 | #·BEGIN·fix·(59·/·358)·for·'set_firewalld_default_zone' |
| 3087 | ############################################################################### | ||
| 3088 | (>&2·echo·"Remediating·rule·59/358:·'set_firewalld_default_zone'") | ||
| 3089 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 3090 | #·END·fix·for·'set_firewalld_default_zone' | ||
| 3091 | ############################################################################### | ||
| 3092 | #·BEGIN·fix·(60·/·358)·for·'service_firewalld_enabled' | ||
| 3093 | ############################################################################### | ||
| 3094 | (>&2·echo·"Remediating·rule·60/358:·'service_firewalld_enabled'") | ||
| 3095 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 3096 | # | ||
| 3097 | #·Example·Call(s): | ||
| 3098 | # | ||
| 3099 | #·····service_command·enable·bluetooth | ||
| 3100 | #·····service_command·disable·bluetooth.service | ||
| 3101 | # | ||
| 3102 | #·····Using·xinetd: | ||
| 3103 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 3104 | # | ||
| 3105 | function·service_command·{ | ||
| 3106 | #·Load·function·arguments·into·local·variables | ||
| 3107 | local·service_state=$1 | ||
| 3108 | local·service=$2 | ||
| 3109 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 3110 | #·Check·sanity·of·the·input | ||
| 3111 | if·[·$#·-lt·"2"·] | ||
| 3112 | then | ||
| 3113 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 3114 | ··echo | ||
| 3115 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 3116 | ··echo·"as·the·last·argument"·· | ||
| 3117 | ··echo·"Aborting." | ||
| 3118 | ··exit·1 | ||
| 3119 | fi | ||
| 3120 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 3121 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 3122 | ··service_util="/usr/bin/systemctl" | ||
| 3123 | else | ||
| 3124 | ··service_util="/sbin/service" | ||
| 3125 | ··chkconfig_util="/sbin/chkconfig" | ||
| 3126 | fi | ||
| 3127 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 3128 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 3129 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 3130 | ··service_state="enable" | ||
| 3131 | ··service_operation="start" | ||
| 3132 | ··chkconfig_state="on" | ||
| 3133 | else | ||
| 3134 | ··service_state="disable" | ||
| 3135 | ··service_operation="stop" | ||
| 3136 | ··chkconfig_state="off" | ||
| 3137 | fi | ||
| 3138 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 3139 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 3140 | ··$service_util·$service·$service_operation | ||
| 3141 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 3142 | else | ||
| 3143 | ··$service_util·$service_operation·$service | ||
| 3144 | ··$service_util·$service_state·$service | ||
| 3145 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 3146 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 3147 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 3148 | ··$service_util·reset-failed·$service | ||
| 3149 | fi | ||
| Max diff block lines reached; 244908/250997 bytes (97.57%) of diff not shown. | |||
| Offset 107, 48 lines modified | Offset 107, 48 lines modified | ||
| 107 | # | 107 | # |
| 108 | #·Stop·rlogin.socket·if·currently·running | 108 | #·Stop·rlogin.socket·if·currently·running |
| 109 | # | 109 | # |
| 110 | systemctl·stop·rlogin.socket | 110 | systemctl·stop·rlogin.socket |
| 111 | #·END·fix·for·'service_rlogin_disabled' | 111 | #·END·fix·for·'service_rlogin_disabled' |
| 112 | ############################################################################### | 112 | ############################################################################### |
| 113 | #·BEGIN·fix·(3·/·358)·for·'service_r | 113 | #·BEGIN·fix·(3·/·358)·for·'service_rsh_disabled' |
| 114 | ############################################################################### | 114 | ############################################################################### |
| 115 | (>&2·echo·"Remediating·rule·3/358:·'service_r | 115 | (>&2·echo·"Remediating·rule·3/358:·'service_rsh_disabled'") |
| 116 | grep·-qi·disable·/etc/xinetd.d/r | 116 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 117 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 117 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 118 | # | 118 | # |
| 119 | #·Disable·r | 119 | #·Disable·rsh.socket·for·all·systemd·targets |
| 120 | # | 120 | # |
| 121 | systemctl·disable·r | 121 | systemctl·disable·rsh.socket |
| 122 | # | 122 | # |
| 123 | #·Stop·r | 123 | #·Stop·rsh.socket·if·currently·running |
| 124 | # | 124 | # |
| 125 | systemctl·stop·r | 125 | systemctl·stop·rsh.socket |
| 126 | #·END·fix·for·'service_r | 126 | #·END·fix·for·'service_rsh_disabled' |
| 127 | ############################################################################### | 127 | ############################################################################### |
| 128 | #·BEGIN·fix·(4·/·358)·for·'service_r | 128 | #·BEGIN·fix·(4·/·358)·for·'service_rexec_disabled' |
| 129 | ############################################################################### | 129 | ############################################################################### |
| 130 | (>&2·echo·"Remediating·rule·4/358:·'service_r | 130 | (>&2·echo·"Remediating·rule·4/358:·'service_rexec_disabled'") |
| 131 | grep·-qi·disable·/etc/xinetd.d/r | 131 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 132 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 132 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 133 | # | 133 | # |
| 134 | #·Disable·r | 134 | #·Disable·rexec.socket·for·all·systemd·targets |
| 135 | # | 135 | # |
| 136 | systemctl·disable·r | 136 | systemctl·disable·rexec.socket |
| 137 | # | 137 | # |
| 138 | #·Stop·r | 138 | #·Stop·rexec.socket·if·currently·running |
| 139 | # | 139 | # |
| 140 | systemctl·stop·r | 140 | systemctl·stop·rexec.socket |
| 141 | #·END·fix·for·'service_r | 141 | #·END·fix·for·'service_rexec_disabled' |
| 142 | ############################################################################### | 142 | ############################################################################### |
| 143 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' | 143 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") | 145 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") |
| 146 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 146 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 147 | # | 147 | # |
| Offset 3091, 17 lines modified | Offset 3091, 113 lines modified | ||
| 3091 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' | 3091 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' |
| 3092 | ############################################################################### | 3092 | ############################################################################### |
| 3093 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") | 3093 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") |
| 3094 | #·FIX·FOR·THIS·RULE·IS·MISSING | 3094 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 3095 | #·END·fix·for·'rsyslog_nolisten' | 3095 | #·END·fix·for·'rsyslog_nolisten' |
| 3096 | ############################################################################### | 3096 | ############################################################################### |
| 3097 | #·BEGIN·fix·(59·/·358)·for·'s | 3097 | #·BEGIN·fix·(59·/·358)·for·'set_firewalld_default_zone' |
| 3098 | ############################################################################### | ||
| 3099 | (>&2·echo·"Remediating·rule·59/358:·'set_firewalld_default_zone'") | ||
| 3100 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 3101 | #·END·fix·for·'set_firewalld_default_zone' | ||
| 3102 | ############################################################################### | ||
| 3103 | #·BEGIN·fix·(60·/·358)·for·'service_firewalld_enabled' | ||
| 3104 | ############################################################################### | ||
| 3105 | (>&2·echo·"Remediating·rule·60/358:·'service_firewalld_enabled'") | ||
| 3106 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 3107 | # | ||
| 3108 | #·Example·Call(s): | ||
| 3109 | # | ||
| 3110 | #·····service_command·enable·bluetooth | ||
| 3111 | #·····service_command·disable·bluetooth.service | ||
| 3112 | # | ||
| 3113 | #·····Using·xinetd: | ||
| 3114 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 3115 | # | ||
| 3116 | function·service_command·{ | ||
| 3117 | #·Load·function·arguments·into·local·variables | ||
| 3118 | local·service_state=$1 | ||
| 3119 | local·service=$2 | ||
| 3120 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 3121 | #·Check·sanity·of·the·input | ||
| 3122 | if·[·$#·-lt·"2"·] | ||
| 3123 | then | ||
| 3124 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 3125 | ··echo | ||
| 3126 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 3127 | ··echo·"as·the·last·argument"·· | ||
| 3128 | ··echo·"Aborting." | ||
| 3129 | ··exit·1 | ||
| 3130 | fi | ||
| 3131 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 3132 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 3133 | ··service_util="/usr/bin/systemctl" | ||
| 3134 | else | ||
| 3135 | ··service_util="/sbin/service" | ||
| 3136 | ··chkconfig_util="/sbin/chkconfig" | ||
| 3137 | fi | ||
| 3138 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 3139 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 3140 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 3141 | ··service_state="enable" | ||
| 3142 | ··service_operation="start" | ||
| 3143 | ··chkconfig_state="on" | ||
| 3144 | else | ||
| 3145 | ··service_state="disable" | ||
| 3146 | ··service_operation="stop" | ||
| 3147 | ··chkconfig_state="off" | ||
| 3148 | fi | ||
| 3149 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 3150 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 3151 | ··$service_util·$service·$service_operation | ||
| 3152 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 3153 | else | ||
| 3154 | ··$service_util·$service_operation·$service | ||
| 3155 | ··$service_util·$service_state·$service | ||
| 3156 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 3157 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 3158 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 3159 | ··$service_util·reset-failed·$service | ||
| 3160 | fi | ||
| Max diff block lines reached; 244908/250999 bytes (97.57%) of diff not shown. | |||
| Offset 376, 31 lines modified | Offset 376, 38 lines modified | ||
| 376 | ··fi | 376 | ··fi |
| 377 | } | 377 | } |
| 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' | 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 379 | #·END·fix·for·'sshd_set_idle_timeout' | 379 | #·END·fix·for·'sshd_set_idle_timeout' |
| 380 | ############################################################################### | 380 | ############################################################################### |
| 381 | #·BEGIN·fix·(5·/·94)·for·' | 381 | #·BEGIN·fix·(5·/·94)·for·'ensure_logrotate_activated' |
| 382 | ############################################################################### | 382 | ############################################################################### |
| 383 | (>&2·echo·"Remediating·rule·5/94:·' | 383 | (>&2·echo·"Remediating·rule·5/94:·'ensure_logrotate_activated'") |
| 384 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 385 | #·END·fix·for·'rsyslog_files_groupownership' | ||
| 386 | 384 | LOGROTATE_CONF_FILE="/etc/logrotate.conf" | |
| 387 | 385 | CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" | |
| 388 | ############################################################################### | ||
| 389 | 386 | #·daily·rotation·is·configured | |
| 390 | 387 | grep·-q·"^daily$"·$LOGROTATE_CONF_FILE||·echo·"daily"·>>·$LOGROTATE_CONF_FILE | |
| 391 | #·END·fix·for·'rsyslog_files_ownership' | ||
| 388 | #·remove·any·line·configuring·weekly,·monthly·or·yearly·rotation | ||
| 389 | sed·-i·-r·"/^(weekly|monthly|yearly)$/d"·$LOGROTATE_CONF_FILE | ||
| 390 | #·configure·cron.daily·if·not·already | ||
| 391 | if·!·grep·-q·"^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$"·$CRON_DAILY_LOGROTATE_FILE;·then | ||
| 392 | » echo·"#!/bin/sh"·>·$CRON_DAILY_LOGROTATE_FILE | ||
| 393 | » echo·"/usr/sbin/logrotate·$LOGROTATE_CONF_FILE"·>>·$CRON_DAILY_LOGROTATE_FILE | ||
| 394 | fi | ||
| 395 | #·END·fix·for·'ensure_logrotate_activated' | ||
| 392 | ############################################################################### | 396 | ############################################################################### |
| 393 | #·BEGIN·fix·( | 397 | #·BEGIN·fix·(6·/·94)·for·'rsyslog_files_permissions' |
| 394 | ############################################################################### | 398 | ############################################################################### |
| 395 | (>&2·echo·"Remediating·rule· | 399 | (>&2·echo·"Remediating·rule·6/94:·'rsyslog_files_permissions'") |
| 396 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions | 400 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions |
| 397 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf | 401 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf |
| 398 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" | 402 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" |
| 399 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive | 403 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive |
| 400 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) | 404 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) |
| 401 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) | 405 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) |
| Offset 449, 33 lines modified | Offset 456, 26 lines modified | ||
| 449 | » then | 456 | » then |
| 450 | » » /bin/chmod·600·"$PATH" | 457 | » » /bin/chmod·600·"$PATH" |
| 451 | » fi | 458 | » fi |
| 452 | done | 459 | done |
| 453 | #·END·fix·for·'rsyslog_files_permissions' | 460 | #·END·fix·for·'rsyslog_files_permissions' |
| 454 | ############################################################################### | 461 | ############################################################################### |
| 455 | #·BEGIN·fix·( | 462 | #·BEGIN·fix·(7·/·94)·for·'rsyslog_files_ownership' |
| 456 | ############################################################################### | 463 | ############################################################################### |
| 457 | (>&2·echo·"Remediating·rule· | 464 | (>&2·echo·"Remediating·rule·7/94:·'rsyslog_files_ownership'") |
| 465 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 458 | 466 | #·END·fix·for·'rsyslog_files_ownership' | |
| 459 | CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" | ||
| 460 | #·daily·rotation·is·configured | ||
| 461 | grep·-q·"^daily$"·$LOGROTATE_CONF_FILE||·echo·"daily"·>>·$LOGROTATE_CONF_FILE | ||
| 462 | #·remove·any·line·configuring·weekly,·monthly·or·yearly·rotation | ||
| 463 | sed·-i·-r·"/^(weekly|monthly|yearly)$/d"·$LOGROTATE_CONF_FILE | ||
| 464 | # | 467 | ############################################################################### |
| 465 | 468 | #·BEGIN·fix·(8·/·94)·for·'rsyslog_files_groupownership' | |
| 466 | 469 | ############################################################################### | |
| 467 | 470 | (>&2·echo·"Remediating·rule·8/94:·'rsyslog_files_groupownership'") | |
| 468 | 471 | #·FIX·FOR·THIS·RULE·IS·MISSING | |
| 469 | #·END·fix·for·' | 472 | #·END·fix·for·'rsyslog_files_groupownership' |
| 470 | ############################################################################### | 473 | ############################################################################### |
| 471 | #·BEGIN·fix·(9·/·94)·for·'package_libreswan_installed' | 474 | #·BEGIN·fix·(9·/·94)·for·'package_libreswan_installed' |
| 472 | ############################################################################### | 475 | ############################################################################### |
| 473 | (>&2·echo·"Remediating·rule·9/94:·'package_libreswan_installed'") | 476 | (>&2·echo·"Remediating·rule·9/94:·'package_libreswan_installed'") |
| 474 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 477 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 475 | # | 478 | # |
| Offset 528, 24 lines modified | Offset 528, 46 lines modified | ||
| 528 | ··sed·-i·"s/PASS_MAX_DAYS.*/PASS_MAX_DAYS·····$var_accounts_maximum_age_login_defs/g"·/etc/login.defs | 528 | ··sed·-i·"s/PASS_MAX_DAYS.*/PASS_MAX_DAYS·····$var_accounts_maximum_age_login_defs/g"·/etc/login.defs |
| 529 | if·!·[·$?·-eq·0·];·then | 529 | if·!·[·$?·-eq·0·];·then |
| 530 | ····echo·"PASS_MAX_DAYS······$var_accounts_maximum_age_login_defs"·>>·/etc/login.defs | 530 | ····echo·"PASS_MAX_DAYS······$var_accounts_maximum_age_login_defs"·>>·/etc/login.defs |
| 531 | fi | 531 | fi |
| 532 | #·END·fix·for·'accounts_maximum_age_login_defs' | 532 | #·END·fix·for·'accounts_maximum_age_login_defs' |
| 533 | ############################################################################### | 533 | ############################################################################### |
| 534 | #·BEGIN·fix·(11·/·94)·for·' | 534 | #·BEGIN·fix·(11·/·94)·for·'no_empty_passwords' |
| 535 | ############################################################################### | 535 | ############################################################################### |
| 536 | (>&2·echo·"Remediating·rule·11/94:·' | 536 | (>&2·echo·"Remediating·rule·11/94:·'no_empty_passwords'") |
| 537 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth | ||
| 538 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | ||
| 539 | #·END·fix·for·'no_empty_passwords' | ||
| 540 | ############################################################################### | ||
| 541 | #·BEGIN·fix·(12·/·94)·for·'accounts_password_all_shadowed' | ||
| 542 | ############################################################################### | ||
| 543 | (>&2·echo·"Remediating·rule·12/94:·'accounts_password_all_shadowed'") | ||
| 544 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 545 | #·END·fix·for·'accounts_password_all_shadowed' | ||
| 546 | ############################################################################### | ||
| 547 | #·BEGIN·fix·(13·/·94)·for·'gid_passwd_group_same' | ||
| 548 | ############################################################################### | ||
| 549 | (>&2·echo·"Remediating·rule·13/94:·'gid_passwd_group_same'") | ||
| 550 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 551 | #·END·fix·for·'gid_passwd_group_same' | ||
| 552 | ############################################################################### | ||
| 553 | #·BEGIN·fix·(14·/·94)·for·'account_unique_name' | ||
| 554 | ############################################################################### | ||
| 555 | (>&2·echo·"Remediating·rule·14/94:·'account_unique_name'") | ||
| 537 | #·FIX·FOR·THIS·RULE·IS·MISSING | 556 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 538 | #·END·fix·for·'account_unique_name' | 557 | #·END·fix·for·'account_unique_name' |
| 539 | ############################################################################### | 558 | ############################################################################### |
| 540 | #·BEGIN·fix·(1 | 559 | #·BEGIN·fix·(15·/·94)·for·'account_disable_post_pw_expiration' |
| 541 | ############################################################################### | 560 | ############################################################################### |
| 542 | (>&2·echo·"Remediating·rule·1 | 561 | (>&2·echo·"Remediating·rule·15/94:·'account_disable_post_pw_expiration'") |
| 543 | var_account_disable_post_pw_expiration="90" | 562 | var_account_disable_post_pw_expiration="90" |
| 544 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 563 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 545 | #·it·does·not·exist. | 564 | #·it·does·not·exist. |
| 546 | # | 565 | # |
| 547 | #·Expects·arguments: | 566 | #·Expects·arguments: |
| 548 | # | 567 | # |
| Offset 622, 71 lines modified | Offset 644, 49 lines modified | ||
| 622 | ··fi | 644 | ··fi |
| 623 | } | 645 | } |
| 624 | replace_or_append·'/etc/default/useradd'·'^INACTIVE'·"$var_account_disable_post_pw_expiration"·'CCE-27355-7'·'%s=%s' | 646 | replace_or_append·'/etc/default/useradd'·'^INACTIVE'·"$var_account_disable_post_pw_expiration"·'CCE-27355-7'·'%s=%s' |
| 625 | #·END·fix·for·'account_disable_post_pw_expiration' | 647 | #·END·fix·for·'account_disable_post_pw_expiration' |
| Max diff block lines reached; 67060/74413 bytes (90.12%) of diff not shown. | |||
| Offset 1299, 26 lines modified | Offset 1299, 26 lines modified | ||
| 1299 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs | 1299 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs |
| 1300 | if·!·[·$?·-eq·0·];·then | 1300 | if·!·[·$?·-eq·0·];·then |
| 1301 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs | 1301 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs |
| 1302 | fi | 1302 | fi |
| 1303 | #·END·fix·for·'accounts_minimum_age_login_defs' | 1303 | #·END·fix·for·'accounts_minimum_age_login_defs' |
| 1304 | ############################################################################### | 1304 | ############################################################################### |
| 1305 | #·BEGIN·fix·(25·/·70)·for·' | 1305 | #·BEGIN·fix·(25·/·70)·for·'accounts_no_uid_except_zero' |
| 1306 | ############################################################################### | 1306 | ############################################################################### |
| 1307 | (>&2·echo·"Remediating·rule·25/70:·' | 1307 | (>&2·echo·"Remediating·rule·25/70:·'accounts_no_uid_except_zero'") |
| 1308 | 1308 | awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | |
| 1309 | #·END·fix·for·' | 1309 | #·END·fix·for·'accounts_no_uid_except_zero' |
| 1310 | ############################################################################### | 1310 | ############################################################################### |
| 1311 | #·BEGIN·fix·(26·/·70)·for·' | 1311 | #·BEGIN·fix·(26·/·70)·for·'no_shelllogin_for_systemaccounts' |
| 1312 | ############################################################################### | 1312 | ############################################################################### |
| 1313 | (>&2·echo·"Remediating·rule·26/70:·' | 1313 | (>&2·echo·"Remediating·rule·26/70:·'no_shelllogin_for_systemaccounts'") |
| 1314 | 1314 | #·FIX·FOR·THIS·RULE·IS·MISSING | |
| 1315 | #·END·fix·for·' | 1315 | #·END·fix·for·'no_shelllogin_for_systemaccounts' |
| 1316 | ############################################################################### | 1316 | ############################################################################### |
| 1317 | #·BEGIN·fix·(27·/·70)·for·'no_empty_passwords' | 1317 | #·BEGIN·fix·(27·/·70)·for·'no_empty_passwords' |
| 1318 | ############################################################################### | 1318 | ############################################################################### |
| 1319 | (>&2·echo·"Remediating·rule·27/70:·'no_empty_passwords'") | 1319 | (>&2·echo·"Remediating·rule·27/70:·'no_empty_passwords'") |
| 1320 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth | 1320 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth |
| 1321 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | 1321 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth |
| Offset 1340, 37 lines modified | Offset 1340, 37 lines modified | ||
| 1340 | else | 1340 | else |
| 1341 | » echo·""·>>·/etc/login.defs | 1341 | » echo·""·>>·/etc/login.defs |
| 1342 | » echo·"ENCRYPT_METHOD·SHA512"·>>·/etc/login.defs | 1342 | » echo·"ENCRYPT_METHOD·SHA512"·>>·/etc/login.defs |
| 1343 | fi | 1343 | fi |
| 1344 | #·END·fix·for·'set_password_hashing_algorithm_logindefs' | 1344 | #·END·fix·for·'set_password_hashing_algorithm_logindefs' |
| 1345 | ############################################################################### | 1345 | ############################################################################### |
| 1346 | #·BEGIN·fix·(30·/·70)·for·'set_password_hashing_algorithm_ | 1346 | #·BEGIN·fix·(30·/·70)·for·'set_password_hashing_algorithm_systemauth' |
| 1347 | ############################################################################### | 1347 | ############################################################################### |
| 1348 | (>&2·echo·"Remediating·rule·30/70:·'set_password_hashing_algorithm_ | 1348 | (>&2·echo·"Remediating·rule·30/70:·'set_password_hashing_algorithm_systemauth'") |
| 1349 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 1350 | #·END·fix·for·'set_password_hashing_algorithm_libuserconf' | ||
| 1351 | ############################################################################### | ||
| 1352 | #·BEGIN·fix·(31·/·70)·for·'set_password_hashing_algorithm_systemauth' | ||
| 1353 | ############################################################################### | ||
| 1354 | (>&2·echo·"Remediating·rule·31/70:·'set_password_hashing_algorithm_systemauth'") | ||
| 1355 | AUTH_FILES[0]="/etc/pam.d/system-auth" | 1349 | AUTH_FILES[0]="/etc/pam.d/system-auth" |
| 1356 | AUTH_FILES[1]="/etc/pam.d/password-auth" | 1350 | AUTH_FILES[1]="/etc/pam.d/password-auth" |
| 1357 | for·pamFile·in·"${AUTH_FILES[@]}" | 1351 | for·pamFile·in·"${AUTH_FILES[@]}" |
| 1358 | do | 1352 | do |
| 1359 | » if·!·grep·-q·"^password.*sufficient.*pam_unix.so.*sha512"·$pamFile;·then | 1353 | » if·!·grep·-q·"^password.*sufficient.*pam_unix.so.*sha512"·$pamFile;·then |
| 1360 | » » sed·-i·--follow-symlinks·"/^password.*sufficient.*pam_unix.so/·s/$/·sha512/"·$pamFile | 1354 | » » sed·-i·--follow-symlinks·"/^password.*sufficient.*pam_unix.so/·s/$/·sha512/"·$pamFile |
| 1361 | » fi | 1355 | » fi |
| 1362 | done | 1356 | done |
| 1363 | #·END·fix·for·'set_password_hashing_algorithm_systemauth' | 1357 | #·END·fix·for·'set_password_hashing_algorithm_systemauth' |
| 1364 | ############################################################################### | 1358 | ############################################################################### |
| 1359 | #·BEGIN·fix·(31·/·70)·for·'set_password_hashing_algorithm_libuserconf' | ||
| 1360 | ############################################################################### | ||
| 1361 | (>&2·echo·"Remediating·rule·31/70:·'set_password_hashing_algorithm_libuserconf'") | ||
| 1362 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 1363 | #·END·fix·for·'set_password_hashing_algorithm_libuserconf' | ||
| 1364 | ############################################################################### | ||
| 1365 | #·BEGIN·fix·(32·/·70)·for·'accounts_password_pam_unix_remember' | 1365 | #·BEGIN·fix·(32·/·70)·for·'accounts_password_pam_unix_remember' |
| 1366 | ############################################################################### | 1366 | ############################################################################### |
| 1367 | (>&2·echo·"Remediating·rule·32/70:·'accounts_password_pam_unix_remember'") | 1367 | (>&2·echo·"Remediating·rule·32/70:·'accounts_password_pam_unix_remember'") |
| 1368 | var_password_pam_unix_remember="5" | 1368 | var_password_pam_unix_remember="5" |
| 1369 | AUTH_FILES[0]="/etc/pam.d/system-auth" | 1369 | AUTH_FILES[0]="/etc/pam.d/system-auth" |
| Offset 1946, 51 lines modified | Offset 1946, 52 lines modified | ||
| 1946 | grep·-q·"^ExecStart=\-.*/sbin/sulogin"·/usr/lib/systemd/system/rescue.service | 1946 | grep·-q·"^ExecStart=\-.*/sbin/sulogin"·/usr/lib/systemd/system/rescue.service |
| 1947 | if·!·[·$?·-eq·0·];·then | 1947 | if·!·[·$?·-eq·0·];·then |
| 1948 | ····sed·-i·"s/ExecStart=-.*-c·\"/&\/sbin\/sulogin;·/g"·/usr/lib/systemd/system/rescue.service | 1948 | ····sed·-i·"s/ExecStart=-.*-c·\"/&\/sbin\/sulogin;·/g"·/usr/lib/systemd/system/rescue.service |
| 1949 | fi | 1949 | fi |
| 1950 | #·END·fix·for·'require_singleuser_auth' | 1950 | #·END·fix·for·'require_singleuser_auth' |
| 1951 | ############################################################################### | 1951 | ############################################################################### |
| 1952 | #·BEGIN·fix·(45·/·70)·for·' | 1952 | #·BEGIN·fix·(45·/·70)·for·'file_permissions_etc_shadow' |
| 1953 | ############################################################################### | ||
| 1954 | (>&2·echo·"Remediating·rule·45/70:·'userowner_shadow_file'") | ||
| 1955 | chown·root·/etc/shadow | ||
| 1956 | #·END·fix·for·'userowner_shadow_file' | ||
| 1957 | ############################################################################### | 1953 | ############################################################################### |
| 1958 | 1954 | (>&2·echo·"Remediating·rule·45/70:·'file_permissions_etc_shadow'") | |
| 1959 | ############################################################################### | ||
| 1960 | (>&2·echo·"Remediating·rule·46/70:·'file_permissions_etc_shadow'") | ||
| 1961 | chmod·0000·/etc/shadow | 1955 | chmod·0000·/etc/shadow |
| 1962 | #·END·fix·for·'file_permissions_etc_shadow' | 1956 | #·END·fix·for·'file_permissions_etc_shadow' |
| 1963 | ############################################################################### | 1957 | ############################################################################### |
| 1964 | #·BEGIN·fix·(4 | 1958 | #·BEGIN·fix·(46·/·70)·for·'groupowner_shadow_file' |
| 1965 | ############################################################################### | 1959 | ############################################################################### |
| 1966 | (>&2·echo·"Remediating·rule·4 | 1960 | (>&2·echo·"Remediating·rule·46/70:·'groupowner_shadow_file'") |
| 1967 | chgrp·root·/etc/shadow | 1961 | chgrp·root·/etc/shadow |
| 1968 | #·END·fix·for·'groupowner_shadow_file' | 1962 | #·END·fix·for·'groupowner_shadow_file' |
| 1969 | ############################################################################### | 1963 | ############################################################################### |
| 1970 | #·BEGIN·fix·(4 | 1964 | #·BEGIN·fix·(47·/·70)·for·'file_owner_etc_group' |
| 1971 | ############################################################################### | 1965 | ############################################################################### |
| 1972 | (>&2·echo·"Remediating·rule·4 | 1966 | (>&2·echo·"Remediating·rule·47/70:·'file_owner_etc_group'") |
| 1973 | chown·root·/etc/group | 1967 | chown·root·/etc/group |
| 1974 | #·END·fix·for·'file_owner_etc_group' | 1968 | #·END·fix·for·'file_owner_etc_group' |
| 1975 | ############################################################################### | 1969 | ############################################################################### |
| 1976 | #·BEGIN·fix·(4 | 1970 | #·BEGIN·fix·(48·/·70)·for·'file_permissions_etc_group' |
| 1977 | ############################################################################### | 1971 | ############################################################################### |
| 1978 | (>&2·echo·"Remediating·rule·4 | 1972 | (>&2·echo·"Remediating·rule·48/70:·'file_permissions_etc_group'") |
| 1979 | chmod·0644·/etc/group | 1973 | chmod·0644·/etc/group |
| 1980 | #·END·fix·for·'file_permissions_etc_group' | 1974 | #·END·fix·for·'file_permissions_etc_group' |
| 1981 | ############################################################################### | 1975 | ############################################################################### |
| 1976 | #·BEGIN·fix·(49·/·70)·for·'file_groupowner_etc_passwd' | ||
| 1977 | ############################################################################### | ||
| 1978 | (>&2·echo·"Remediating·rule·49/70:·'file_groupowner_etc_passwd'") | ||
| 1979 | chgrp·root·/etc/passwd | ||
| 1980 | #·END·fix·for·'file_groupowner_etc_passwd' | ||
| 1981 | ############################################################################### | ||
| 1982 | #·BEGIN·fix·(50·/·70)·for·'file_groupowner_etc_gshadow' | 1982 | #·BEGIN·fix·(50·/·70)·for·'file_groupowner_etc_gshadow' |
| 1983 | ############################################################################### | 1983 | ############################################################################### |
| 1984 | (>&2·echo·"Remediating·rule·50/70:·'file_groupowner_etc_gshadow'") | 1984 | (>&2·echo·"Remediating·rule·50/70:·'file_groupowner_etc_gshadow'") |
| Max diff block lines reached; 1167/8456 bytes (13.80%) of diff not shown. | |||
| Offset 681, 99 lines modified | Offset 681, 17 lines modified | ||
| 681 | #·BEGIN·fix·(14·/·51)·for·'dir_perms_world_writable_sticky_bits' | 681 | #·BEGIN·fix·(14·/·51)·for·'dir_perms_world_writable_sticky_bits' |
| 682 | ############################################################################### | 682 | ############################################################################### |
| 683 | (>&2·echo·"Remediating·rule·14/51:·'dir_perms_world_writable_sticky_bits'") | 683 | (>&2·echo·"Remediating·rule·14/51:·'dir_perms_world_writable_sticky_bits'") |
| 684 | #·FIX·FOR·THIS·RULE·IS·MISSING | 684 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 685 | #·END·fix·for·'dir_perms_world_writable_sticky_bits' | 685 | #·END·fix·for·'dir_perms_world_writable_sticky_bits' |
| 686 | ############################################################################### | 686 | ############################################################################### |
| 687 | #·BEGIN·fix·(15·/·51)·for·' | 687 | #·BEGIN·fix·(15·/·51)·for·'mount_option_dev_shm_nosuid' |
| 688 | ############################################################################### | 688 | ############################################################################### |
| 689 | (>&2·echo·"Remediating·rule·15/51:·' | 689 | (>&2·echo·"Remediating·rule·15/51:·'mount_option_dev_shm_nosuid'") |
| 690 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 691 | # | ||
| 692 | #·Example·Call(s): | ||
| 693 | # | ||
| 694 | #·····service_command·enable·bluetooth | ||
| 695 | #·····service_command·disable·bluetooth.service | ||
| 696 | # | ||
| 697 | #·····Using·xinetd: | ||
| 698 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 699 | # | ||
| 700 | function·service_command·{ | ||
| 701 | #·Load·function·arguments·into·local·variables | ||
| 702 | local·service_state=$1 | ||
| 703 | local·service=$2 | ||
| 704 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 705 | #·Check·sanity·of·the·input | ||
| 706 | if·[·$#·-lt·"2"·] | ||
| 707 | then | ||
| 708 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 709 | ··echo | ||
| 710 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 711 | ··echo·"as·the·last·argument"·· | ||
| 712 | ··echo·"Aborting." | ||
| 713 | ··exit·1 | ||
| 714 | fi | ||
| 715 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 716 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 717 | ··service_util="/usr/bin/systemctl" | ||
| 718 | else | ||
| 719 | ··service_util="/sbin/service" | ||
| 720 | ··chkconfig_util="/sbin/chkconfig" | ||
| 721 | fi | ||
| 722 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 723 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 724 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 725 | ··service_state="enable" | ||
| 726 | ··service_operation="start" | ||
| 727 | ··chkconfig_state="on" | ||
| 728 | else | ||
| 729 | ··service_state="disable" | ||
| 730 | ··service_operation="stop" | ||
| 731 | ··chkconfig_state="off" | ||
| 732 | fi | ||
| 733 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 734 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 735 | ··$service_util·$service·$service_operation | ||
| 736 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 737 | else | ||
| 738 | ··$service_util·$service_operation·$service | ||
| 739 | ··$service_util·$service_state·$service | ||
| 740 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 741 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 742 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 743 | ··$service_util·reset-failed·$service | ||
| 744 | fi | ||
| 745 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 746 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 747 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 748 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 749 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 750 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 751 | ··else | ||
| 752 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 753 | ··fi | ||
| 754 | fi | ||
| 755 | } | ||
| 756 | service_command·disable·autofs | ||
| 757 | #·END·fix·for·'service_autofs_disabled' | ||
| 758 | ############################################################################### | ||
| 759 | #·BEGIN·fix·(16·/·51)·for·'mount_option_dev_shm_nosuid' | ||
| 760 | ############################################################################### | ||
| 761 | (>&2·echo·"Remediating·rule·16/51:·'mount_option_dev_shm_nosuid'") | ||
| 762 | function·include_mount_options_functions·{ | 690 | function·include_mount_options_functions·{ |
| 763 | » : | 691 | » : |
| 764 | } | 692 | } |
| 765 | #·$1:·mount·point | 693 | #·$1:·mount·point |
| 766 | #·$2:·new·mount·point·option | 694 | #·$2:·new·mount·point·option |
| 767 | function·ensure_mount_option_in_fstab·{ | 695 | function·ensure_mount_option_in_fstab·{ |
| Offset 828, 17 lines modified | Offset 746, 17 lines modified | ||
| 828 | ensure_mount_option_in_fstab·"/dev/shm"·"nosuid" | 746 | ensure_mount_option_in_fstab·"/dev/shm"·"nosuid" |
| 829 | ensure_partition_is_mounted·"/dev/shm" | 747 | ensure_partition_is_mounted·"/dev/shm" |
| 830 | #·END·fix·for·'mount_option_dev_shm_nosuid' | 748 | #·END·fix·for·'mount_option_dev_shm_nosuid' |
| 831 | ############################################################################### | 749 | ############################################################################### |
| 832 | #·BEGIN·fix·(1 | 750 | #·BEGIN·fix·(16·/·51)·for·'mount_option_dev_shm_nodev' |
| 833 | ############################################################################### | 751 | ############################################################################### |
| 834 | (>&2·echo·"Remediating·rule·1 | 752 | (>&2·echo·"Remediating·rule·16/51:·'mount_option_dev_shm_nodev'") |
| 835 | function·include_mount_options_functions·{ | 753 | function·include_mount_options_functions·{ |
| 836 | » : | 754 | » : |
| 837 | } | 755 | } |
| 838 | #·$1:·mount·point | 756 | #·$1:·mount·point |
| 839 | #·$2:·new·mount·point·option | 757 | #·$2:·new·mount·point·option |
| 840 | function·ensure_mount_option_in_fstab·{ | 758 | function·ensure_mount_option_in_fstab·{ |
| Offset 893, 14 lines modified | Offset 811, 96 lines modified | ||
| 893 | ensure_mount_option_in_fstab·"/dev/shm"·"nodev" | 811 | ensure_mount_option_in_fstab·"/dev/shm"·"nodev" |
| 894 | ensure_partition_is_mounted·"/dev/shm" | 812 | ensure_partition_is_mounted·"/dev/shm" |
| 895 | #·END·fix·for·'mount_option_dev_shm_nodev' | 813 | #·END·fix·for·'mount_option_dev_shm_nodev' |
| 896 | ############################################################################### | 814 | ############################################################################### |
| 815 | #·BEGIN·fix·(17·/·51)·for·'service_autofs_disabled' | ||
| 816 | ############################################################################### | ||
| Max diff block lines reached; 48602/55764 bytes (87.16%) of diff not shown. | |||
| Offset 28, 42 lines modified | Offset 28, 42 lines modified | ||
| 28 | # | 28 | # |
| 29 | #·How·to·apply·this·remediation·role: | 29 | #·How·to·apply·this·remediation·role: |
| 30 | #·$·sudo·./remediation-role.sh | 30 | #·$·sudo·./remediation-role.sh |
| 31 | # | 31 | # |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | ############################################################################### | 33 | ############################################################################### |
| 34 | #·BEGIN·fix·(1·/·243)·for·'no_host_based_files' | 34 | #·BEGIN·fix·(1·/·243)·for·'no_user_host_based_files' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | (>&2·echo·"Remediating·rule·1/243:·'no_host_based_files'") | 36 | (>&2·echo·"Remediating·rule·1/243:·'no_user_host_based_files'") |
| 37 | #·Identify·local·mounts | 37 | #·Identify·local·mounts |
| 38 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 38 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 39 | #·Find·file·on·each·listed·mount·point | 39 | #·Find·file·on·each·listed·mount·point |
| 40 | for·cur_mount·in·${MOUNT_LIST} | 40 | for·cur_mount·in·${MOUNT_LIST} |
| 41 | do | 41 | do |
| 42 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts | 42 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; |
| 43 | done | 43 | done |
| 44 | #·END·fix·for·'no_host_based_files' | 44 | #·END·fix·for·'no_user_host_based_files' |
| 45 | ############################################################################### | 45 | ############################################################################### |
| 46 | #·BEGIN·fix·(2·/·243)·for·'no_ | 46 | #·BEGIN·fix·(2·/·243)·for·'no_host_based_files' |
| 47 | ############################################################################### | 47 | ############################################################################### |
| 48 | (>&2·echo·"Remediating·rule·2/243:·'no_ | 48 | (>&2·echo·"Remediating·rule·2/243:·'no_host_based_files'") |
| 49 | #·Identify·local·mounts | 49 | #·Identify·local·mounts |
| 50 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 50 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 51 | #·Find·file·on·each·listed·mount·point | 51 | #·Find·file·on·each·listed·mount·point |
| 52 | for·cur_mount·in·${MOUNT_LIST} | 52 | for·cur_mount·in·${MOUNT_LIST} |
| 53 | do | 53 | do |
| 54 | » find·${cur_mount}·-xdev·-type·f·-name·" | 54 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; |
| 55 | done | 55 | done |
| 56 | #·END·fix·for·'no_ | 56 | #·END·fix·for·'no_host_based_files' |
| 57 | ############################################################################### | 57 | ############################################################################### |
| 58 | #·BEGIN·fix·(3·/·243)·for·'package_rsh-server_removed' | 58 | #·BEGIN·fix·(3·/·243)·for·'package_rsh-server_removed' |
| 59 | ############################################################################### | 59 | ############################################################################### |
| 60 | (>&2·echo·"Remediating·rule·3/243:·'package_rsh-server_removed'") | 60 | (>&2·echo·"Remediating·rule·3/243:·'package_rsh-server_removed'") |
| 61 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 61 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 62 | # | 62 | # |
| Offset 190, 24 lines modified | Offset 190, 17 lines modified | ||
| 190 | } | 190 | } |
| 191 | package_remove·ypserv | 191 | package_remove·ypserv |
| 192 | #·END·fix·for·'package_ypserv_removed' | 192 | #·END·fix·for·'package_ypserv_removed' |
| 193 | ############################################################################### | 193 | ############################################################################### |
| 194 | #·BEGIN·fix·(6·/·243)·for·'tftp | 194 | #·BEGIN·fix·(6·/·243)·for·'package_tftp-server_removed' |
| 195 | ############################################################################### | 195 | ############################################################################### |
| 196 | (>&2·echo·"Remediating·rule·6/243:·'tftp | 196 | (>&2·echo·"Remediating·rule·6/243:·'package_tftp-server_removed'") |
| 197 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 198 | #·END·fix·for·'tftpd_uses_secure_mode' | ||
| 199 | ############################################################################### | ||
| 200 | #·BEGIN·fix·(7·/·243)·for·'package_tftp-server_removed' | ||
| 201 | ############################################################################### | ||
| 202 | (>&2·echo·"Remediating·rule·7/243:·'package_tftp-server_removed'") | ||
| 203 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 197 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 204 | # | 198 | # |
| 205 | #·Example·Call(s): | 199 | #·Example·Call(s): |
| 206 | # | 200 | # |
| 207 | #·····package_remove·telnet-server | 201 | #·····package_remove·telnet-server |
| 208 | # | 202 | # |
| 209 | function·package_remove·{ | 203 | function·package_remove·{ |
| Offset 241, 14 lines modified | Offset 234, 21 lines modified | ||
| 241 | } | 234 | } |
| 242 | package_remove·tftp-server | 235 | package_remove·tftp-server |
| 243 | #·END·fix·for·'package_tftp-server_removed' | 236 | #·END·fix·for·'package_tftp-server_removed' |
| 244 | ############################################################################### | 237 | ############################################################################### |
| 238 | #·BEGIN·fix·(7·/·243)·for·'tftpd_uses_secure_mode' | ||
| 239 | ############################################################################### | ||
| 240 | (>&2·echo·"Remediating·rule·7/243:·'tftpd_uses_secure_mode'") | ||
| 241 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 242 | #·END·fix·for·'tftpd_uses_secure_mode' | ||
| 243 | ############################################################################### | ||
| 245 | #·BEGIN·fix·(8·/·243)·for·'package_vsftpd_removed' | 244 | #·BEGIN·fix·(8·/·243)·for·'package_vsftpd_removed' |
| 246 | ############################################################################### | 245 | ############################################################################### |
| 247 | (>&2·echo·"Remediating·rule·8/243:·'package_vsftpd_removed'") | 246 | (>&2·echo·"Remediating·rule·8/243:·'package_vsftpd_removed'") |
| 248 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 247 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 249 | # | 248 | # |
| 250 | #·Example·Call(s): | 249 | #·Example·Call(s): |
| 251 | # | 250 | # |
| Offset 475, 26 lines modified | Offset 475, 26 lines modified | ||
| 475 | » echo·"smtpd_client_restrictions·=·permit_mynetworks,reject"·>>·/etc/postfix/main.cf | 475 | » echo·"smtpd_client_restrictions·=·permit_mynetworks,reject"·>>·/etc/postfix/main.cf |
| 476 | else | 476 | else |
| 477 | » sed·-i·"s/^smtpd_client_restrictions.*/smtpd_client_restrictions·=·permit_mynetworks,reject/g"·/etc/postfix/main.cf | 477 | » sed·-i·"s/^smtpd_client_restrictions.*/smtpd_client_restrictions·=·permit_mynetworks,reject/g"·/etc/postfix/main.cf |
| 478 | fi | 478 | fi |
| 479 | #·END·fix·for·'postfix_prevent_unrestricted_relay' | 479 | #·END·fix·for·'postfix_prevent_unrestricted_relay' |
| 480 | ############################################################################### | 480 | ############################################################################### |
| 481 | #·BEGIN·fix·(20·/·243)·for·'mount_option_ | 481 | #·BEGIN·fix·(20·/·243)·for·'mount_option_noexec_remote_filesystems' |
| 482 | ############################################################################### | 482 | ############################################################################### |
| 483 | (>&2·echo·"Remediating·rule·20/243:·'mount_option_ | 483 | (>&2·echo·"Remediating·rule·20/243:·'mount_option_noexec_remote_filesystems'") |
| 484 | #·FIX·FOR·THIS·RULE·IS·MISSING | 484 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 485 | #·END·fix·for·'mount_option_ | 485 | #·END·fix·for·'mount_option_noexec_remote_filesystems' |
| 486 | ############################################################################### | 486 | ############################################################################### |
| 487 | #·BEGIN·fix·(21·/·243)·for·'mount_option_ | 487 | #·BEGIN·fix·(21·/·243)·for·'mount_option_krb_sec_remote_filesystems' |
| 488 | ############################################################################### | 488 | ############################################################################### |
| 489 | (>&2·echo·"Remediating·rule·21/243:·'mount_option_ | 489 | (>&2·echo·"Remediating·rule·21/243:·'mount_option_krb_sec_remote_filesystems'") |
| 490 | #·FIX·FOR·THIS·RULE·IS·MISSING | 490 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 491 | #·END·fix·for·'mount_option_ | 491 | #·END·fix·for·'mount_option_krb_sec_remote_filesystems' |
| 492 | ############################################################################### | 492 | ############################################################################### |
| 493 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' | 493 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' |
| 494 | ############################################################################### | 494 | ############################################################################### |
| 495 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") | 495 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") |
| 496 | #·FIX·FOR·THIS·RULE·IS·MISSING | 496 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 497 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' | 497 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' |
| Offset 2270, 128 lines modified | Offset 2270, 24 lines modified | ||
| 2270 | #·BEGIN·fix·(49·/·243)·for·'rsyslog_nolisten' | 2270 | #·BEGIN·fix·(49·/·243)·for·'rsyslog_nolisten' |
| 2271 | ############################################################################### | 2271 | ############################################################################### |
| 2272 | (>&2·echo·"Remediating·rule·49/243:·'rsyslog_nolisten'") | 2272 | (>&2·echo·"Remediating·rule·49/243:·'rsyslog_nolisten'") |
| 2273 | #·FIX·FOR·THIS·RULE·IS·MISSING | 2273 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 2274 | #·END·fix·for·'rsyslog_nolisten' | 2274 | #·END·fix·for·'rsyslog_nolisten' |
| 2275 | ############################################################################### | 2275 | ############################################################################### |
| 2276 | #·BEGIN·fix·(50·/·243)·for·'s | 2276 | #·BEGIN·fix·(50·/·243)·for·'set_firewalld_default_zone' |
| 2277 | ############################################################################### | ||
| 2278 | (>&2·echo·"Remediating·rule·50/243:·'sysctl_net_ipv6_conf_all_accept_source_route'") | ||
| Max diff block lines reached; 153301/163979 bytes (93.49%) of diff not shown. | |||
| Offset 115, 61 lines modified | Offset 115, 17 lines modified | ||
| 115 | } | 115 | } |
| 116 | package_remove·httpd | 116 | package_remove·httpd |
| 117 | #·END·fix·for·'package_httpd_removed' | 117 | #·END·fix·for·'package_httpd_removed' |
| 118 | ############################################################################### | 118 | ############################################################################### |
| 119 | #·BEGIN·fix·(3·/·188)·for·' | 119 | #·BEGIN·fix·(3·/·188)·for·'service_ntpd_enabled' |
| 120 | ############################################################################### | 120 | ############################################################################### |
| 121 | (>&2·echo·"Remediating·rule·3/188:·' | 121 | (>&2·echo·"Remediating·rule·3/188:·'service_ntpd_enabled'") |
| 122 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 123 | # | ||
| 124 | #·Example·Call(s): | ||
| 125 | # | ||
| 126 | #·····package_remove·telnet-server | ||
| 127 | # | ||
| 128 | function·package_remove·{ | ||
| 129 | #·Load·function·arguments·into·local·variables | ||
| 130 | local·package="$1" | ||
| 131 | #·Check·sanity·of·the·input | ||
| 132 | if·[·$#·-ne·"1"·] | ||
| 133 | then | ||
| 134 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 135 | ··echo·"Aborting." | ||
| 136 | ··exit·1 | ||
| 137 | fi | ||
| 138 | if·which·dnf·;·then | ||
| 139 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 140 | ····dnf·remove·-y·"$package" | ||
| 141 | ··fi | ||
| 142 | elif·which·yum·;·then | ||
| 143 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 144 | ····yum·remove·-y·"$package" | ||
| 145 | ··fi | ||
| 146 | elif·which·apt-get·;·then | ||
| 147 | ··apt-get·remove·-y·"$package" | ||
| 148 | else | ||
| 149 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 150 | ··echo·"Aborting." | ||
| 151 | ··exit·1 | ||
| 152 | fi | ||
| 153 | } | ||
| 154 | package_remove·dhcp | ||
| 155 | #·END·fix·for·'package_dhcp_removed' | ||
| 156 | ############################################################################### | ||
| 157 | #·BEGIN·fix·(4·/·188)·for·'service_ntpd_enabled' | ||
| 158 | ############################################################################### | ||
| 159 | (>&2·echo·"Remediating·rule·4/188:·'service_ntpd_enabled'") | ||
| 160 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 122 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 161 | # | 123 | # |
| 162 | #·Example·Call(s): | 124 | #·Example·Call(s): |
| 163 | # | 125 | # |
| 164 | #·····service_command·enable·bluetooth | 126 | #·····service_command·enable·bluetooth |
| 165 | #·····service_command·disable·bluetooth.service | 127 | #·····service_command·disable·bluetooth.service |
| 166 | # | 128 | # |
| Offset 241, 31 lines modified | Offset 197, 31 lines modified | ||
| 241 | } | 197 | } |
| 242 | service_command·enable·ntpd | 198 | service_command·enable·ntpd |
| 243 | #·END·fix·for·'service_ntpd_enabled' | 199 | #·END·fix·for·'service_ntpd_enabled' |
| 244 | ############################################################################### | 200 | ############################################################################### |
| 245 | #·BEGIN·fix·( | 201 | #·BEGIN·fix·(4·/·188)·for·'ntpd_specify_remote_server' |
| 246 | ############################################################################### | 202 | ############################################################################### |
| 247 | (>&2·echo·"Remediating·rule· | 203 | (>&2·echo·"Remediating·rule·4/188:·'ntpd_specify_remote_server'") |
| 248 | #·FIX·FOR·THIS·RULE·IS·MISSING | 204 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 249 | #·END·fix·for·'ntpd_specify_ | 205 | #·END·fix·for·'ntpd_specify_remote_server' |
| 250 | ############################################################################### | 206 | ############################################################################### |
| 251 | #·BEGIN·fix·( | 207 | #·BEGIN·fix·(5·/·188)·for·'ntpd_specify_multiple_servers' |
| 252 | ############################################################################### | 208 | ############################################################################### |
| 253 | (>&2·echo·"Remediating·rule· | 209 | (>&2·echo·"Remediating·rule·5/188:·'ntpd_specify_multiple_servers'") |
| 254 | #·FIX·FOR·THIS·RULE·IS·MISSING | 210 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 255 | #·END·fix·for·'ntpd_specify_ | 211 | #·END·fix·for·'ntpd_specify_multiple_servers' |
| 256 | ############################################################################### | 212 | ############################################################################### |
| 257 | #·BEGIN·fix·( | 213 | #·BEGIN·fix·(6·/·188)·for·'service_cups_disabled' |
| 258 | ############################################################################### | 214 | ############################################################################### |
| 259 | (>&2·echo·"Remediating·rule· | 215 | (>&2·echo·"Remediating·rule·6/188:·'service_cups_disabled'") |
| 260 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 216 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 261 | # | 217 | # |
| 262 | #·Example·Call(s): | 218 | #·Example·Call(s): |
| 263 | # | 219 | # |
| 264 | #·····service_command·enable·bluetooth | 220 | #·····service_command·enable·bluetooth |
| 265 | #·····service_command·disable·bluetooth.service | 221 | #·····service_command·disable·bluetooth.service |
| 266 | # | 222 | # |
| Offset 337, 17 lines modified | Offset 293, 17 lines modified | ||
| 337 | } | 293 | } |
| 338 | service_command·disable·cups | 294 | service_command·disable·cups |
| 339 | #·END·fix·for·'service_cups_disabled' | 295 | #·END·fix·for·'service_cups_disabled' |
| 340 | ############################################################################### | 296 | ############################################################################### |
| 341 | #·BEGIN·fix·( | 297 | #·BEGIN·fix·(7·/·188)·for·'package_net-snmp_removed' |
| 342 | ############################################################################### | 298 | ############################################################################### |
| 343 | (>&2·echo·"Remediating·rule· | 299 | (>&2·echo·"Remediating·rule·7/188:·'package_net-snmp_removed'") |
| 344 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 300 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 345 | # | 301 | # |
| 346 | #·Example·Call(s): | 302 | #·Example·Call(s): |
| 347 | # | 303 | # |
| 348 | #·····package_remove·telnet-server | 304 | #·····package_remove·telnet-server |
| 349 | # | 305 | # |
| 350 | function·package_remove·{ | 306 | function·package_remove·{ |
| Offset 381, 225 lines modified | Offset 337, 17 lines modified | ||
| 381 | } | 337 | } |
| 382 | package_remove·net-snmp | 338 | package_remove·net-snmp |
| 383 | #·END·fix·for·'package_net-snmp_removed' | 339 | #·END·fix·for·'package_net-snmp_removed' |
| 384 | ############################################################################### | 340 | ############################################################################### |
| 385 | #·BEGIN·fix·( | 341 | #·BEGIN·fix·(8·/·188)·for·'package_rsh_removed' |
| 386 | ############################################################################### | 342 | ############################################################################### |
| 387 | (>&2·echo·"Remediating·rule· | 343 | (>&2·echo·"Remediating·rule·8/188:·'package_rsh_removed'") |
| 388 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 389 | # | ||
| 390 | #·Example·Call(s): | ||
| 391 | # | ||
| 392 | #·····service_command·enable·bluetooth | ||
| Max diff block lines reached; 431773/442964 bytes (97.47%) of diff not shown. | |||
| Offset 18, 26 lines modified | Offset 18, 26 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·313)·for·'ftp_ | 24 | #·BEGIN·fix·(1·/·313)·for·'ftp_present_banner' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/313:·'ftp_ | 26 | (>&2·echo·"Remediating·rule·1/313:·'ftp_present_banner'") |
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | 27 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 28 | #·END·fix·for·'ftp_ | 28 | #·END·fix·for·'ftp_present_banner' |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | #·BEGIN·fix·(2·/·313)·for·'ftp_ | 30 | #·BEGIN·fix·(2·/·313)·for·'ftp_log_transactions' |
| 31 | ############################################################################### | 31 | ############################################################################### |
| 32 | (>&2·echo·"Remediating·rule·2/313:·'ftp_ | 32 | (>&2·echo·"Remediating·rule·2/313:·'ftp_log_transactions'") |
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | 33 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 34 | #·END·fix·for·'ftp_ | 34 | #·END·fix·for·'ftp_log_transactions' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled' | 36 | #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'") | 38 | (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'") |
| 39 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 39 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 40 | # | 40 | # |
| Offset 280, 19 lines modified | Offset 280, 19 lines modified | ||
| 280 | #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support' | 280 | #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support' |
| 281 | ############################################################################### | 281 | ############################################################################### |
| 282 | (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'") | 282 | (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'") |
| 283 | #·FIX·FOR·THIS·RULE·IS·MISSING | 283 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 284 | #·END·fix·for·'httpd_cgi_support' | 284 | #·END·fix·for·'httpd_cgi_support' |
| 285 | ############################################################################### | 285 | ############################################################################### |
| 286 | #·BEGIN·fix·(17·/·313)·for·'httpd_ | 286 | #·BEGIN·fix·(17·/·313)·for·'httpd_digest_authentication' |
| 287 | ############################################################################### | 287 | ############################################################################### |
| 288 | (>&2·echo·"Remediating·rule·17/313:·'httpd_ | 288 | (>&2·echo·"Remediating·rule·17/313:·'httpd_digest_authentication'") |
| 289 | #·FIX·FOR·THIS·RULE·IS·MISSING | 289 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 290 | #·END·fix·for·'httpd_ | 290 | #·END·fix·for·'httpd_digest_authentication' |
| 291 | ############################################################################### | 291 | ############################################################################### |
| 292 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' | 292 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' |
| 293 | ############################################################################### | 293 | ############################################################################### |
| 294 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") | 294 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") |
| 295 | #·FIX·FOR·THIS·RULE·IS·MISSING | 295 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 296 | #·END·fix·for·'httpd_server_activity_status' | 296 | #·END·fix·for·'httpd_server_activity_status' |
| Offset 301, 19 lines modified | Offset 301, 19 lines modified | ||
| 301 | #·BEGIN·fix·(19·/·313)·for·'httpd_server_configuration_display' | 301 | #·BEGIN·fix·(19·/·313)·for·'httpd_server_configuration_display' |
| 302 | ############################################################################### | 302 | ############################################################################### |
| 303 | (>&2·echo·"Remediating·rule·19/313:·'httpd_server_configuration_display'") | 303 | (>&2·echo·"Remediating·rule·19/313:·'httpd_server_configuration_display'") |
| 304 | #·FIX·FOR·THIS·RULE·IS·MISSING | 304 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 305 | #·END·fix·for·'httpd_server_configuration_display' | 305 | #·END·fix·for·'httpd_server_configuration_display' |
| 306 | ############################################################################### | 306 | ############################################################################### |
| 307 | #·BEGIN·fix·(20·/·313)·for·'httpd_ | 307 | #·BEGIN·fix·(20·/·313)·for·'httpd_url_correction' |
| 308 | ############################################################################### | 308 | ############################################################################### |
| 309 | (>&2·echo·"Remediating·rule·20/313:·'httpd_ | 309 | (>&2·echo·"Remediating·rule·20/313:·'httpd_url_correction'") |
| 310 | #·FIX·FOR·THIS·RULE·IS·MISSING | 310 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 311 | #·END·fix·for·'httpd_ | 311 | #·END·fix·for·'httpd_url_correction' |
| 312 | ############################################################################### | 312 | ############################################################################### |
| 313 | #·BEGIN·fix·(21·/·313)·for·'httpd_mime_magic' | 313 | #·BEGIN·fix·(21·/·313)·for·'httpd_mime_magic' |
| 314 | ############################################################################### | 314 | ############################################################################### |
| 315 | (>&2·echo·"Remediating·rule·21/313:·'httpd_mime_magic'") | 315 | (>&2·echo·"Remediating·rule·21/313:·'httpd_mime_magic'") |
| 316 | #·FIX·FOR·THIS·RULE·IS·MISSING | 316 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 317 | #·END·fix·for·'httpd_mime_magic' | 317 | #·END·fix·for·'httpd_mime_magic' |
| Offset 350, 59 lines modified | Offset 350, 17 lines modified | ||
| 350 | #·BEGIN·fix·(26·/·313)·for·'httpd_proxy_support' | 350 | #·BEGIN·fix·(26·/·313)·for·'httpd_proxy_support' |
| 351 | ############################################################################### | 351 | ############################################################################### |
| 352 | (>&2·echo·"Remediating·rule·26/313:·'httpd_proxy_support'") | 352 | (>&2·echo·"Remediating·rule·26/313:·'httpd_proxy_support'") |
| 353 | #·FIX·FOR·THIS·RULE·IS·MISSING | 353 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 354 | #·END·fix·for·'httpd_proxy_support' | 354 | #·END·fix·for·'httpd_proxy_support' |
| 355 | ############################################################################### | 355 | ############################################################################### |
| 356 | #·BEGIN·fix·(27·/·313)·for·'s | 356 | #·BEGIN·fix·(27·/·313)·for·'service_ntpd_enabled' |
| 357 | ############################################################################### | ||
| 358 | (>&2·echo·"Remediating·rule·27/313:·'sysconfig_networking_bootproto_ifcfg'") | ||
| 359 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 360 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 361 | ############################################################################### | ||
| 362 | #·BEGIN·fix·(28·/·313)·for·'dhcp_server_deny_decline' | ||
| 363 | ############################################################################### | ||
| 364 | (>&2·echo·"Remediating·rule·28/313:·'dhcp_server_deny_decline'") | ||
| 365 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 366 | #·END·fix·for·'dhcp_server_deny_decline' | ||
| 367 | ############################################################################### | ||
| 368 | #·BEGIN·fix·(29·/·313)·for·'dhcp_server_disable_ddns' | ||
| 369 | ############################################################################### | ||
| 370 | (>&2·echo·"Remediating·rule·29/313:·'dhcp_server_disable_ddns'") | ||
| 371 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 372 | #·END·fix·for·'dhcp_server_disable_ddns' | ||
| 373 | ############################################################################### | ||
| 374 | #·BEGIN·fix·(30·/·313)·for·'dhcp_server_minimize_served_info' | ||
| 375 | ############################################################################### | ||
| 376 | (>&2·echo·"Remediating·rule·30/313:·'dhcp_server_minimize_served_info'") | ||
| 377 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 378 | #·END·fix·for·'dhcp_server_minimize_served_info' | ||
| 379 | ############################################################################### | ||
| 380 | #·BEGIN·fix·(31·/·313)·for·'dhcp_server_deny_bootp' | ||
| 381 | ############################################################################### | ||
| 382 | (>&2·echo·"Remediating·rule·31/313:·'dhcp_server_deny_bootp'") | ||
| 383 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 384 | #·END·fix·for·'dhcp_server_deny_bootp' | ||
| 385 | ############################################################################### | ||
| 386 | #·BEGIN·fix·(32·/·313)·for·'dhcp_server_configure_logging' | ||
| 387 | ############################################################################### | ||
| 388 | (>&2·echo·"Remediating·rule·32/313:·'dhcp_server_configure_logging'") | ||
| 389 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 390 | #·END·fix·for·'dhcp_server_configure_logging' | ||
| 391 | ############################################################################### | ||
| 392 | #·BEGIN·fix·(33·/·313)·for·'service_ntpd_enabled' | ||
| 393 | ############################################################################### | 357 | ############################################################################### |
| 394 | (>&2·echo·"Remediating·rule· | 358 | (>&2·echo·"Remediating·rule·27/313:·'service_ntpd_enabled'") |
| 395 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 359 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 396 | # | 360 | # |
| 397 | #·Example·Call(s): | 361 | #·Example·Call(s): |
| 398 | # | 362 | # |
| 399 | #·····service_command·enable·bluetooth | 363 | #·····service_command·enable·bluetooth |
| 400 | #·····service_command·disable·bluetooth.service | 364 | #·····service_command·disable·bluetooth.service |
| 401 | # | 365 | # |
| Offset 474, 31 lines modified | Offset 432, 31 lines modified | ||
| Max diff block lines reached; 653403/660390 bytes (98.94%) of diff not shown. | |||
| Offset 171, 171 lines modified | Offset 171, 17 lines modified | ||
| 171 | #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd' | 171 | #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd' |
| 172 | ############################################################################### | 172 | ############################################################################### |
| 173 | (>&2·echo·"Remediating·rule·5/215:·'dir_perms_var_log_httpd'") | 173 | (>&2·echo·"Remediating·rule·5/215:·'dir_perms_var_log_httpd'") |
| 174 | #·FIX·FOR·THIS·RULE·IS·MISSING | 174 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 175 | #·END·fix·for·'dir_perms_var_log_httpd' | 175 | #·END·fix·for·'dir_perms_var_log_httpd' |
| 176 | ############################################################################### | 176 | ############################################################################### |
| 177 | #·BEGIN·fix·(6·/·215)·for·'s | 177 | #·BEGIN·fix·(6·/·215)·for·'service_ntpd_enabled' |
| 178 | ############################################################################### | 178 | ############################################################################### |
| 179 | (>&2·echo·"Remediating·rule·6/215:·'s | 179 | (>&2·echo·"Remediating·rule·6/215:·'service_ntpd_enabled'") |
| 180 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 181 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 182 | ############################################################################### | ||
| 183 | #·BEGIN·fix·(7·/·215)·for·'dhcp_server_deny_decline' | ||
| 184 | ############################################################################### | ||
| 185 | (>&2·echo·"Remediating·rule·7/215:·'dhcp_server_deny_decline'") | ||
| 186 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 187 | #·END·fix·for·'dhcp_server_deny_decline' | ||
| 188 | ############################################################################### | ||
| 189 | #·BEGIN·fix·(8·/·215)·for·'dhcp_server_disable_ddns' | ||
| 190 | ############################################################################### | ||
| 191 | (>&2·echo·"Remediating·rule·8/215:·'dhcp_server_disable_ddns'") | ||
| 192 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 193 | #·END·fix·for·'dhcp_server_disable_ddns' | ||
| 194 | ############################################################################### | ||
| 195 | #·BEGIN·fix·(9·/·215)·for·'dhcp_server_deny_bootp' | ||
| 196 | ############################################################################### | ||
| 197 | (>&2·echo·"Remediating·rule·9/215:·'dhcp_server_deny_bootp'") | ||
| 198 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 199 | #·END·fix·for·'dhcp_server_deny_bootp' | ||
| 200 | ############################################################################### | ||
| 201 | #·BEGIN·fix·(10·/·215)·for·'package_dhcp_removed' | ||
| 202 | ############################################################################### | ||
| 203 | (>&2·echo·"Remediating·rule·10/215:·'package_dhcp_removed'") | ||
| 204 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 205 | # | ||
| 206 | #·Example·Call(s): | ||
| 207 | # | ||
| 208 | #·····package_remove·telnet-server | ||
| 209 | # | ||
| 210 | function·package_remove·{ | ||
| 211 | #·Load·function·arguments·into·local·variables | ||
| 212 | local·package="$1" | ||
| 213 | #·Check·sanity·of·the·input | ||
| 214 | if·[·$#·-ne·"1"·] | ||
| 215 | then | ||
| 216 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 217 | ··echo·"Aborting." | ||
| 218 | ··exit·1 | ||
| 219 | fi | ||
| 220 | if·which·dnf·;·then | ||
| 221 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 222 | ····dnf·remove·-y·"$package" | ||
| 223 | ··fi | ||
| 224 | elif·which·yum·;·then | ||
| 225 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 226 | ····yum·remove·-y·"$package" | ||
| 227 | ··fi | ||
| 228 | elif·which·apt-get·;·then | ||
| 229 | ··apt-get·remove·-y·"$package" | ||
| 230 | else | ||
| 231 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 232 | ··echo·"Aborting." | ||
| 233 | ··exit·1 | ||
| 234 | fi | ||
| 235 | } | ||
| 236 | package_remove·dhcp | ||
| 237 | #·END·fix·for·'package_dhcp_removed' | ||
| 238 | ############################################################################### | ||
| 239 | #·BEGIN·fix·(11·/·215)·for·'service_dhcpd_disabled' | ||
| 240 | ############################################################################### | ||
| 241 | (>&2·echo·"Remediating·rule·11/215:·'service_dhcpd_disabled'") | ||
| 242 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 243 | # | ||
| 244 | #·Example·Call(s): | ||
| 245 | # | ||
| 246 | #·····service_command·enable·bluetooth | ||
| 247 | #·····service_command·disable·bluetooth.service | ||
| 248 | # | ||
| 249 | #·····Using·xinetd: | ||
| 250 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 251 | # | ||
| 252 | function·service_command·{ | ||
| 253 | #·Load·function·arguments·into·local·variables | ||
| 254 | local·service_state=$1 | ||
| 255 | local·service=$2 | ||
| 256 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 257 | #·Check·sanity·of·the·input | ||
| 258 | if·[·$#·-lt·"2"·] | ||
| 259 | then | ||
| 260 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 261 | ··echo | ||
| 262 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 263 | ··echo·"as·the·last·argument"·· | ||
| 264 | ··echo·"Aborting." | ||
| 265 | ··exit·1 | ||
| 266 | fi | ||
| 267 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 268 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 269 | ··service_util="/usr/bin/systemctl" | ||
| 270 | else | ||
| 271 | ··service_util="/sbin/service" | ||
| 272 | ··chkconfig_util="/sbin/chkconfig" | ||
| 273 | fi | ||
| 274 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 275 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 276 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 277 | ··service_state="enable" | ||
| 278 | ··service_operation="start" | ||
| 279 | ··chkconfig_state="on" | ||
| 280 | else | ||
| 281 | ··service_state="disable" | ||
| 282 | ··service_operation="stop" | ||
| Max diff block lines reached; 399972/405921 bytes (98.53%) of diff not shown. | |||
| Offset 271, 143 lines modified | Offset 271, 17 lines modified | ||
| 271 | } | 271 | } |
| 272 | package_remove·httpd | 272 | package_remove·httpd |
| 273 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 274 | ############################################################################### | 274 | ############################################################################### |
| 275 | #·BEGIN·fix·(5·/·206)·for·' | 275 | #·BEGIN·fix·(5·/·206)·for·'service_ntpd_enabled' |
| 276 | ############################################################################### | 276 | ############################################################################### |
| 277 | (>&2·echo·"Remediating·rule·5/206:·' | 277 | (>&2·echo·"Remediating·rule·5/206:·'service_ntpd_enabled'") |
| 278 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 279 | # | ||
| 280 | #·Example·Call(s): | ||
| 281 | # | ||
| 282 | #·····package_remove·telnet-server | ||
| 283 | # | ||
| 284 | function·package_remove·{ | ||
| 285 | #·Load·function·arguments·into·local·variables | ||
| 286 | local·package="$1" | ||
| 287 | #·Check·sanity·of·the·input | ||
| 288 | if·[·$#·-ne·"1"·] | ||
| 289 | then | ||
| 290 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 291 | ··echo·"Aborting." | ||
| 292 | ··exit·1 | ||
| 293 | fi | ||
| 294 | if·which·dnf·;·then | ||
| 295 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 296 | ····dnf·remove·-y·"$package" | ||
| 297 | ··fi | ||
| 298 | elif·which·yum·;·then | ||
| 299 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 300 | ····yum·remove·-y·"$package" | ||
| 301 | ··fi | ||
| 302 | elif·which·apt-get·;·then | ||
| 303 | ··apt-get·remove·-y·"$package" | ||
| 304 | else | ||
| 305 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 306 | ··echo·"Aborting." | ||
| 307 | ··exit·1 | ||
| 308 | fi | ||
| 309 | } | ||
| 310 | package_remove·dhcp | ||
| 311 | #·END·fix·for·'package_dhcp_removed' | ||
| 312 | ############################################################################### | ||
| 313 | #·BEGIN·fix·(6·/·206)·for·'service_dhcpd_disabled' | ||
| 314 | ############################################################################### | ||
| 315 | (>&2·echo·"Remediating·rule·6/206:·'service_dhcpd_disabled'") | ||
| 316 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 317 | # | ||
| 318 | #·Example·Call(s): | ||
| 319 | # | ||
| 320 | #·····service_command·enable·bluetooth | ||
| 321 | #·····service_command·disable·bluetooth.service | ||
| 322 | # | ||
| 323 | #·····Using·xinetd: | ||
| 324 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 325 | # | ||
| 326 | function·service_command·{ | ||
| 327 | #·Load·function·arguments·into·local·variables | ||
| 328 | local·service_state=$1 | ||
| 329 | local·service=$2 | ||
| 330 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 331 | #·Check·sanity·of·the·input | ||
| 332 | if·[·$#·-lt·"2"·] | ||
| 333 | then | ||
| 334 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 335 | ··echo | ||
| 336 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 337 | ··echo·"as·the·last·argument"·· | ||
| 338 | ··echo·"Aborting." | ||
| 339 | ··exit·1 | ||
| 340 | fi | ||
| 341 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 342 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 343 | ··service_util="/usr/bin/systemctl" | ||
| 344 | else | ||
| 345 | ··service_util="/sbin/service" | ||
| 346 | ··chkconfig_util="/sbin/chkconfig" | ||
| 347 | fi | ||
| 348 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 349 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 350 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 351 | ··service_state="enable" | ||
| 352 | ··service_operation="start" | ||
| 353 | ··chkconfig_state="on" | ||
| 354 | else | ||
| 355 | ··service_state="disable" | ||
| 356 | ··service_operation="stop" | ||
| 357 | ··chkconfig_state="off" | ||
| 358 | fi | ||
| 359 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 360 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 361 | ··$service_util·$service·$service_operation | ||
| 362 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 363 | else | ||
| 364 | ··$service_util·$service_operation·$service | ||
| 365 | ··$service_util·$service_state·$service | ||
| 366 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 367 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 368 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 369 | ··$service_util·reset-failed·$service | ||
| 370 | fi | ||
| 371 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 372 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 373 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 374 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 375 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 376 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 377 | ··else | ||
| 378 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 379 | ··fi | ||
| 380 | fi | ||
| Max diff block lines reached; 476334/480616 bytes (99.11%) of diff not shown. | |||
| Offset 100, 195 lines modified | Offset 100, 31 lines modified | ||
| 100 | } | 100 | } |
| 101 | service_command·enable·ntpd | 101 | service_command·enable·ntpd |
| 102 | #·END·fix·for·'service_ntpd_enabled' | 102 | #·END·fix·for·'service_ntpd_enabled' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | #·BEGIN·fix·(2·/·211)·for·'ntpd_specify_ | 104 | #·BEGIN·fix·(2·/·211)·for·'ntpd_specify_remote_server' |
| 105 | ############################################################################### | 105 | ############################################################################### |
| 106 | (>&2·echo·"Remediating·rule·2/211:·'ntpd_specify_ | 106 | (>&2·echo·"Remediating·rule·2/211:·'ntpd_specify_remote_server'") |
| 107 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 108 | #·END·fix·for·'ntpd_specify_multiple_servers' | ||
| 109 | ############################################################################### | ||
| 110 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server' | ||
| 111 | ############################################################################### | ||
| 112 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'") | ||
| 113 | #·FIX·FOR·THIS·RULE·IS·MISSING | 107 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 114 | #·END·fix·for·'ntpd_specify_remote_server' | 108 | #·END·fix·for·'ntpd_specify_remote_server' |
| 115 | ############################################################################### | 109 | ############################################################################### |
| 116 | #·BEGIN·fix·( | 110 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_multiple_servers' |
| 117 | ############################################################################### | ||
| 118 | (>&2·echo·"Remediating·rule·4/211:·'service_crond_enabled'") | ||
| 119 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 120 | # | ||
| 121 | #·Example·Call(s): | ||
| 122 | # | ||
| 123 | #·····service_command·enable·bluetooth | ||
| 124 | #·····service_command·disable·bluetooth.service | ||
| 125 | # | ||
| 126 | #·····Using·xinetd: | ||
| 127 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 128 | # | ||
| 129 | function·service_command·{ | ||
| 130 | #·Load·function·arguments·into·local·variables | ||
| 131 | local·service_state=$1 | ||
| 132 | local·service=$2 | ||
| 133 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 134 | #·Check·sanity·of·the·input | ||
| 135 | if·[·$#·-lt·"2"·] | ||
| 136 | then | ||
| 137 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 138 | ··echo | ||
| 139 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 140 | ··echo·"as·the·last·argument"·· | ||
| 141 | ··echo·"Aborting." | ||
| 142 | ··exit·1 | ||
| 143 | fi | ||
| 144 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 145 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 146 | ··service_util="/usr/bin/systemctl" | ||
| 147 | else | ||
| 148 | ··service_util="/sbin/service" | ||
| 149 | ··chkconfig_util="/sbin/chkconfig" | ||
| 150 | fi | ||
| 151 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 152 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 153 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 154 | ··service_state="enable" | ||
| 155 | ··service_operation="start" | ||
| 156 | ··chkconfig_state="on" | ||
| 157 | else | ||
| 158 | ··service_state="disable" | ||
| 159 | ··service_operation="stop" | ||
| 160 | ··chkconfig_state="off" | ||
| 161 | fi | ||
| 162 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 163 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 164 | ··$service_util·$service·$service_operation | ||
| 165 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 166 | else | ||
| 167 | ··$service_util·$service_operation·$service | ||
| 168 | ··$service_util·$service_state·$service | ||
| 169 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 170 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 171 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 172 | ··$service_util·reset-failed·$service | ||
| 173 | fi | ||
| 174 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 175 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 176 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 177 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 178 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 179 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 180 | ··else | ||
| 181 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 182 | ··fi | ||
| 183 | fi | ||
| 184 | } | ||
| 185 | service_command·enable·crond | ||
| 186 | #·END·fix·for·'service_crond_enabled' | ||
| 187 | ############################################################################### | ||
| 188 | #·BEGIN·fix·(5·/·211)·for·'service_atd_disabled' | ||
| 189 | ############################################################################### | 111 | ############################################################################### |
| 190 | (>&2·echo·"Remediating·rule· | 112 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_multiple_servers'") |
| 191 | #·F | 113 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 192 | # | 114 | #·END·fix·for·'ntpd_specify_multiple_servers' |
| 193 | #·Example·Call(s): | ||
| 194 | # | ||
| 195 | #·····service_command·enable·bluetooth | ||
| 196 | #·····service_command·disable·bluetooth.service | ||
| 197 | # | ||
| 198 | #·····Using·xinetd: | ||
| 199 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 200 | # | ||
| 201 | function·service_command·{ | ||
| 202 | #·Load·function·arguments·into·local·variables | ||
| 203 | local·service_state=$1 | ||
| 204 | local·service=$2 | ||
| 205 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 206 | #·Check·sanity·of·the·input | ||
| 207 | if·[·$#·-lt·"2"·] | ||
| 208 | then | ||
| 209 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| Max diff block lines reached; 434330/440729 bytes (98.55%) of diff not shown. | |||
| Offset 25, 40 lines modified | Offset 25, 40 lines modified | ||
| 25 | #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon' | 25 | #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'") | 27 | (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'") |
| 28 | #·FIX·FOR·THIS·RULE·IS·MISSING | 28 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 29 | #·END·fix·for·'ftp_restrict_to_anon' | 29 | #·END·fix·for·'ftp_restrict_to_anon' |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | #·BEGIN·fix·(2·/·192)·for·'ftp_ | 31 | #·BEGIN·fix·(2·/·192)·for·'ftp_present_banner' |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | (>&2·echo·"Remediating·rule·2/192:·'ftp_ | 33 | (>&2·echo·"Remediating·rule·2/192:·'ftp_present_banner'") |
| 34 | #·FIX·FOR·THIS·RULE·IS·MISSING | 34 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 35 | #·END·fix·for·'ftp_ | 35 | #·END·fix·for·'ftp_present_banner' |
| 36 | ############################################################################### | 36 | ############################################################################### |
| 37 | #·BEGIN·fix·(3·/·192)·for·'ftp_ | 37 | #·BEGIN·fix·(3·/·192)·for·'ftp_disable_uploads' |
| 38 | ############################################################################### | 38 | ############################################################################### |
| 39 | (>&2·echo·"Remediating·rule·3/192:·'ftp_ | 39 | (>&2·echo·"Remediating·rule·3/192:·'ftp_disable_uploads'") |
| 40 | #·FIX·FOR·THIS·RULE·IS·MISSING | 40 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 41 | #·END·fix·for·'ftp_ | 41 | #·END·fix·for·'ftp_disable_uploads' |
| 42 | ############################################################################### | 42 | ############################################################################### |
| 43 | #·BEGIN·fix·(4·/·192)·for·'ftp_ | 43 | #·BEGIN·fix·(4·/·192)·for·'ftp_home_partition' |
| 44 | ############################################################################### | 44 | ############################################################################### |
| 45 | (>&2·echo·"Remediating·rule·4/192:·'ftp_ | 45 | (>&2·echo·"Remediating·rule·4/192:·'ftp_home_partition'") |
| 46 | #·FIX·FOR·THIS·RULE·IS·MISSING | 46 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 47 | #·END·fix·for·'ftp_ | 47 | #·END·fix·for·'ftp_home_partition' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | #·BEGIN·fix·(5·/·192)·for·'ftp_ | 49 | #·BEGIN·fix·(5·/·192)·for·'ftp_log_transactions' |
| 50 | ############################################################################### | 50 | ############################################################################### |
| 51 | (>&2·echo·"Remediating·rule·5/192:·'ftp_ | 51 | (>&2·echo·"Remediating·rule·5/192:·'ftp_log_transactions'") |
| 52 | #·FIX·FOR·THIS·RULE·IS·MISSING | 52 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 53 | #·END·fix·for·'ftp_ | 53 | #·END·fix·for·'ftp_log_transactions' |
| 54 | ############################################################################### | 54 | ############################################################################### |
| 55 | #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed' | 55 | #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed' |
| 56 | ############################################################################### | 56 | ############################################################################### |
| 57 | (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'") | 57 | (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'") |
| 58 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 58 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 59 | # | 59 | # |
| Offset 97, 24 lines modified | Offset 97, 17 lines modified | ||
| 97 | } | 97 | } |
| 98 | package_install·vsftpd | 98 | package_install·vsftpd |
| 99 | #·END·fix·for·'package_vsftpd_installed' | 99 | #·END·fix·for·'package_vsftpd_installed' |
| 100 | ############################################################################### | 100 | ############################################################################### |
| 101 | #·BEGIN·fix·(7·/·192)·for·'s | 101 | #·BEGIN·fix·(7·/·192)·for·'service_ntpd_enabled' |
| 102 | ############################################################################### | 102 | ############################################################################### |
| 103 | (>&2·echo·"Remediating·rule·7/192:·'s | 103 | (>&2·echo·"Remediating·rule·7/192:·'service_ntpd_enabled'") |
| 104 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 105 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 106 | ############################################################################### | ||
| 107 | #·BEGIN·fix·(8·/·192)·for·'service_ntpd_enabled' | ||
| 108 | ############################################################################### | ||
| 109 | (>&2·echo·"Remediating·rule·8/192:·'service_ntpd_enabled'") | ||
| 110 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 104 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 111 | # | 105 | # |
| 112 | #·Example·Call(s): | 106 | #·Example·Call(s): |
| 113 | # | 107 | # |
| 114 | #·····service_command·enable·bluetooth | 108 | #·····service_command·enable·bluetooth |
| 115 | #·····service_command·disable·bluetooth.service | 109 | #·····service_command·disable·bluetooth.service |
| 116 | # | 110 | # |
| Offset 186, 260 lines modified | Offset 179, 45 lines modified | ||
| 186 | } | 179 | } |
| 187 | service_command·enable·ntpd | 180 | service_command·enable·ntpd |
| 188 | #·END·fix·for·'service_ntpd_enabled' | 181 | #·END·fix·for·'service_ntpd_enabled' |
| 189 | ############################################################################### | 182 | ############################################################################### |
| 190 | #·BEGIN·fix·( | 183 | #·BEGIN·fix·(8·/·192)·for·'ntpd_specify_remote_server' |
| 191 | ############################################################################### | 184 | ############################################################################### |
| 192 | (>&2·echo·"Remediating·rule· | 185 | (>&2·echo·"Remediating·rule·8/192:·'ntpd_specify_remote_server'") |
| 193 | #·FIX·FOR·THIS·RULE·IS·MISSING | 186 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 194 | #·END·fix·for·'ntpd_specify_remote_server' | 187 | #·END·fix·for·'ntpd_specify_remote_server' |
| 195 | ############################################################################### | 188 | ############################################################################### |
| 196 | #·BEGIN·fix·( | 189 | #·BEGIN·fix·(9·/·192)·for·'service_rlogin_disabled' |
| 197 | ############################################################################### | ||
| 198 | (>&2·echo·"Remediating·rule·10/192:·'service_crond_enabled'") | ||
| 199 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 200 | # | ||
| 201 | #·Example·Call(s): | ||
| 202 | # | ||
| 203 | #·····service_command·enable·bluetooth | ||
| 204 | #·····service_command·disable·bluetooth.service | ||
| 205 | # | ||
| 206 | #·····Using·xinetd: | ||
| 207 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 208 | # | ||
| 209 | function·service_command·{ | ||
| 210 | #·Load·function·arguments·into·local·variables | ||
| 211 | local·service_state=$1 | ||
| 212 | local·service=$2 | ||
| 213 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 214 | #·Check·sanity·of·the·input | ||
| 215 | if·[·$#·-lt·"2"·] | ||
| 216 | then | ||
| 217 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 218 | ··echo | ||
| 219 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 220 | ··echo·"as·the·last·argument"·· | ||
| 221 | ··echo·"Aborting." | ||
| 222 | ··exit·1 | ||
| 223 | fi | ||
| 224 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 225 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 226 | ··service_util="/usr/bin/systemctl" | ||
| 227 | else | ||
| 228 | ··service_util="/sbin/service" | ||
| 229 | ··chkconfig_util="/sbin/chkconfig" | ||
| 230 | fi | ||
| 231 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 232 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 233 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 234 | ··service_state="enable" | ||
| 235 | ··service_operation="start" | ||
| 236 | ··chkconfig_state="on" | ||
| 237 | else | ||
| 238 | ··service_state="disable" | ||
| Max diff block lines reached; 435638/446937 bytes (97.47%) of diff not shown. | |||
| Offset 192, 150 lines modified | Offset 192, 17 lines modified | ||
| 192 | } | 192 | } |
| 193 | package_remove·httpd | 193 | package_remove·httpd |
| 194 | #·END·fix·for·'package_httpd_removed' | 194 | #·END·fix·for·'package_httpd_removed' |
| 195 | ############################################################################### | 195 | ############################################################################### |
| 196 | #·BEGIN·fix·(4·/·270)·for·'s | 196 | #·BEGIN·fix·(4·/·270)·for·'service_ntpd_enabled' |
| 197 | ############################################################################### | 197 | ############################################################################### |
| 198 | (>&2·echo·"Remediating·rule·4/270:·'s | 198 | (>&2·echo·"Remediating·rule·4/270:·'service_ntpd_enabled'") |
| 199 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 200 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 201 | ############################################################################### | ||
| 202 | #·BEGIN·fix·(5·/·270)·for·'package_dhcp_removed' | ||
| 203 | ############################################################################### | ||
| 204 | (>&2·echo·"Remediating·rule·5/270:·'package_dhcp_removed'") | ||
| 205 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 206 | # | ||
| 207 | #·Example·Call(s): | ||
| 208 | # | ||
| 209 | #·····package_remove·telnet-server | ||
| 210 | # | ||
| 211 | function·package_remove·{ | ||
| 212 | #·Load·function·arguments·into·local·variables | ||
| 213 | local·package="$1" | ||
| 214 | #·Check·sanity·of·the·input | ||
| 215 | if·[·$#·-ne·"1"·] | ||
| 216 | then | ||
| 217 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 218 | ··echo·"Aborting." | ||
| 219 | ··exit·1 | ||
| 220 | fi | ||
| 221 | if·which·dnf·;·then | ||
| 222 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 223 | ····dnf·remove·-y·"$package" | ||
| 224 | ··fi | ||
| 225 | elif·which·yum·;·then | ||
| 226 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 227 | ····yum·remove·-y·"$package" | ||
| 228 | ··fi | ||
| 229 | elif·which·apt-get·;·then | ||
| 230 | ··apt-get·remove·-y·"$package" | ||
| 231 | else | ||
| 232 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 233 | ··echo·"Aborting." | ||
| 234 | ··exit·1 | ||
| 235 | fi | ||
| 236 | } | ||
| 237 | package_remove·dhcp | ||
| 238 | #·END·fix·for·'package_dhcp_removed' | ||
| 239 | ############################################################################### | ||
| 240 | #·BEGIN·fix·(6·/·270)·for·'service_dhcpd_disabled' | ||
| 241 | ############################################################################### | ||
| 242 | (>&2·echo·"Remediating·rule·6/270:·'service_dhcpd_disabled'") | ||
| 243 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 244 | # | ||
| 245 | #·Example·Call(s): | ||
| 246 | # | ||
| 247 | #·····service_command·enable·bluetooth | ||
| 248 | #·····service_command·disable·bluetooth.service | ||
| 249 | # | ||
| 250 | #·····Using·xinetd: | ||
| 251 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 252 | # | ||
| 253 | function·service_command·{ | ||
| 254 | #·Load·function·arguments·into·local·variables | ||
| 255 | local·service_state=$1 | ||
| 256 | local·service=$2 | ||
| 257 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 258 | #·Check·sanity·of·the·input | ||
| 259 | if·[·$#·-lt·"2"·] | ||
| 260 | then | ||
| 261 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 262 | ··echo | ||
| 263 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 264 | ··echo·"as·the·last·argument"·· | ||
| 265 | ··echo·"Aborting." | ||
| 266 | ··exit·1 | ||
| 267 | fi | ||
| 268 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 269 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 270 | ··service_util="/usr/bin/systemctl" | ||
| 271 | else | ||
| 272 | ··service_util="/sbin/service" | ||
| 273 | ··chkconfig_util="/sbin/chkconfig" | ||
| 274 | fi | ||
| 275 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 276 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 277 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 278 | ··service_state="enable" | ||
| 279 | ··service_operation="start" | ||
| 280 | ··chkconfig_state="on" | ||
| 281 | else | ||
| 282 | ··service_state="disable" | ||
| 283 | ··service_operation="stop" | ||
| 284 | ··chkconfig_state="off" | ||
| 285 | fi | ||
| 286 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 287 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 288 | ··$service_util·$service·$service_operation | ||
| 289 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 290 | else | ||
| 291 | ··$service_util·$service_operation·$service | ||
| 292 | ··$service_util·$service_state·$service | ||
| 293 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 294 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 295 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 296 | ··$service_util·reset-failed·$service | ||
| 297 | fi | ||
| 298 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 299 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 300 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 301 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| Max diff block lines reached; 641174/645849 bytes (99.28%) of diff not shown. | |||
| Offset 100, 26 lines modified | Offset 100, 26 lines modified | ||
| 100 | } | 100 | } |
| 101 | service_command·enable·ntpd | 101 | service_command·enable·ntpd |
| 102 | #·END·fix·for·'service_ntpd_enabled' | 102 | #·END·fix·for·'service_ntpd_enabled' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | #·BEGIN·fix·(2·/·94)·for·'ntpd_specify_ | 104 | #·BEGIN·fix·(2·/·94)·for·'ntpd_specify_remote_server' |
| 105 | ############################################################################### | 105 | ############################################################################### |
| 106 | (>&2·echo·"Remediating·rule·2/94:·'ntpd_specify_ | 106 | (>&2·echo·"Remediating·rule·2/94:·'ntpd_specify_remote_server'") |
| 107 | #·FIX·FOR·THIS·RULE·IS·MISSING | 107 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 108 | #·END·fix·for·'ntpd_specify_ | 108 | #·END·fix·for·'ntpd_specify_remote_server' |
| 109 | ############################################################################### | 109 | ############################################################################### |
| 110 | #·BEGIN·fix·(3·/·94)·for·'ntpd_specify_ | 110 | #·BEGIN·fix·(3·/·94)·for·'ntpd_specify_multiple_servers' |
| 111 | ############################################################################### | 111 | ############################################################################### |
| 112 | (>&2·echo·"Remediating·rule·3/94:·'ntpd_specify_ | 112 | (>&2·echo·"Remediating·rule·3/94:·'ntpd_specify_multiple_servers'") |
| 113 | #·FIX·FOR·THIS·RULE·IS·MISSING | 113 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 114 | #·END·fix·for·'ntpd_specify_ | 114 | #·END·fix·for·'ntpd_specify_multiple_servers' |
| 115 | ############################################################################### | 115 | ############################################################################### |
| 116 | #·BEGIN·fix·(4·/·94)·for·'sshd_set_idle_timeout' | 116 | #·BEGIN·fix·(4·/·94)·for·'sshd_set_idle_timeout' |
| 117 | ############################################################################### | 117 | ############################################################################### |
| 118 | (>&2·echo·"Remediating·rule·4/94:·'sshd_set_idle_timeout'") | 118 | (>&2·echo·"Remediating·rule·4/94:·'sshd_set_idle_timeout'") |
| 119 | sshd_idle_timeout_value="900" | 119 | sshd_idle_timeout_value="900" |
| Offset 128, 1110 lines modified | Offset 128, 61 lines modified | ||
| 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config | 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config |
| 129 | if·!·[·$?·-eq·0·];·then | 129 | if·!·[·$?·-eq·0·];·then |
| 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config | 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config |
| 131 | fi | 131 | fi |
| 132 | #·END·fix·for·'sshd_set_idle_timeout' | 132 | #·END·fix·for·'sshd_set_idle_timeout' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | #·BEGIN·fix·(5·/·94)·for·'i | 134 | #·BEGIN·fix·(5·/·94)·for·'auditd_audispd_syslog_plugin_activated' |
| 135 | ############################################################################### | ||
| 136 | (>&2·echo·"Remediating·rule·5/94:·'install_hids'") | ||
| 137 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 138 | #·END·fix·for·'install_hids' | ||
| 139 | ############################################################################### | ||
| 140 | #·BEGIN·fix·(6·/·94)·for·'rpm_verify_permissions' | ||
| 141 | ############################################################################### | ||
| 142 | (>&2·echo·"Remediating·rule·6/94:·'rpm_verify_permissions'") | ||
| 143 | #·Declare·array·to·hold·list·of·RPM·packages·we·need·to·correct·permissions·for | ||
| 144 | declare·-a·SETPERMS_RPM_LIST | ||
| 145 | #·Create·a·list·of·files·on·the·system·having·permissions·different·from·what | ||
| 146 | #·is·expected·by·the·RPM·database | ||
| 147 | FILES_WITH_INCORRECT_PERMS=($(rpm·-Va·--nofiledigest·|·grep·'^.M'·|·cut·-d·'·'·-f4-)) | ||
| 148 | #·For·each·file·path·from·that·list: | ||
| 149 | #·*·Determine·the·RPM·package·the·file·path·is·shipped·by, | ||
| 150 | #·*·Include·it·into·SETPERMS_RPM_LIST·array | ||
| 151 | for·FILE_PATH·in·"${FILES_WITH_INCORRECT_PERMS[@]}" | ||
| 152 | do | ||
| 153 | » RPM_PACKAGE=$(rpm·-qf·"$FILE_PATH") | ||
| 154 | » SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}"·"$RPM_PACKAGE") | ||
| 155 | done | ||
| 156 | #·Remove·duplicate·mention·of·same·RPM·in·$SETPERMS_RPM_LIST·(if·any) | ||
| 157 | SETPERMS_RPM_LIST=(·$(echo·"${SETPERMS_RPM_LIST[@]}"·|·tr·'·'·'\n'·|·sort·-u·|·tr·'\n'·'·')·) | ||
| 158 | #·For·each·of·the·RPM·packages·left·in·the·list·--·reset·its·permissions·to·the | ||
| 159 | #·correct·values | ||
| 160 | for·RPM_PACKAGE·in·"${SETPERMS_RPM_LIST[@]}" | ||
| 161 | do | ||
| 162 | » rpm·--setperms·"${RPM_PACKAGE}" | ||
| 163 | done | ||
| 164 | #·END·fix·for·'rpm_verify_permissions' | ||
| 165 | ############################################################################### | ||
| 166 | #·BEGIN·fix·(7·/·94)·for·'rpm_verify_hashes' | ||
| 167 | ############################################################################### | ||
| 168 | (>&2·echo·"Remediating·rule·7/94:·'rpm_verify_hashes'") | ||
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 170 | #·END·fix·for·'rpm_verify_hashes' | ||
| 171 | ############################################################################### | ||
| 172 | #·BEGIN·fix·(8·/·94)·for·'package_aide_installed' | ||
| 173 | ############################################################################### | ||
| 174 | (>&2·echo·"Remediating·rule·8/94:·'package_aide_installed'") | ||
| 175 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 176 | # | ||
| 177 | #·Example·Call(s): | ||
| 178 | # | ||
| 179 | #·····package_install·aide | ||
| 180 | # | ||
| 181 | function·package_install·{ | ||
| 182 | #·Load·function·arguments·into·local·variables | ||
| 183 | local·package="$1" | ||
| 184 | #·Check·sanity·of·the·input | ||
| 185 | if·[·$#·-ne·"1"·] | ||
| 186 | then | ||
| 187 | ··echo·"Usage:·package_install·'package_name'" | ||
| 188 | ··echo·"Aborting." | ||
| 189 | ··exit·1 | ||
| 190 | fi | ||
| 191 | if·which·dnf·;·then | ||
| 192 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 193 | ····dnf·install·-y·"$package" | ||
| 194 | ··fi | ||
| 195 | elif·which·yum·;·then | ||
| 196 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 197 | ····yum·install·-y·"$package" | ||
| 198 | ··fi | ||
| 199 | elif·which·apt-get·;·then | ||
| 200 | ··apt-get·install·-y·"$package" | ||
| 201 | else | ||
| 202 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 203 | ··echo·"Aborting." | ||
| 204 | ··exit·1 | ||
| 205 | fi | ||
| 206 | } | ||
| 207 | package_install·aide | ||
| 208 | #·END·fix·for·'package_aide_installed' | ||
| 209 | ############################################################################### | ||
| 210 | #·BEGIN·fix·(9·/·94)·for·'aide_periodic_cron_checking' | ||
| 211 | ############################################################################### | ||
| Max diff block lines reached; 178241/199543 bytes (89.32%) of diff not shown. | |||
| Offset 18, 120 lines modified | Offset 18, 38 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·94)·for·'service_ | 24 | #·BEGIN·fix·(1·/·94)·for·'service_rlogin_disabled' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/94:·'service_ | 26 | (>&2·echo·"Remediating·rule·1/94:·'service_rlogin_disabled'") |
| 27 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 28 | # | ||
| 29 | #·Example·Call(s): | ||
| 30 | # | ||
| 31 | #·····service_command·enable·bluetooth | ||
| 32 | #·····service_command·disable·bluetooth.service | ||
| 33 | # | ||
| 34 | #·····Using·xinetd: | ||
| 35 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 36 | # | ||
| 37 | function·service_command·{ | ||
| 38 | #·Load·function·arguments·into·local·variables | ||
| 39 | local·service_state=$1 | ||
| 40 | local·service=$2 | ||
| 41 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 42 | #·Check·sanity·of·the·input | ||
| 43 | if·[·$#·-lt·"2"·] | ||
| 44 | then | ||
| 45 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 46 | ··echo | ||
| 47 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 48 | ··echo·"as·the·last·argument"·· | ||
| 49 | ··echo·"Aborting." | ||
| 50 | ··exit·1 | ||
| 51 | fi | ||
| 52 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 53 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 54 | ··service_util="/usr/bin/systemctl" | ||
| 55 | else | ||
| 56 | ··service_util="/sbin/service" | ||
| 57 | ··chkconfig_util="/sbin/chkconfig" | ||
| 58 | fi | ||
| 59 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 60 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 61 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 62 | ··service_state="enable" | ||
| 63 | ··service_operation="start" | ||
| 64 | ··chkconfig_state="on" | ||
| 65 | else | ||
| 66 | ··service_state="disable" | ||
| 67 | ··service_operation="stop" | ||
| 68 | ··chkconfig_state="off" | ||
| 69 | fi | ||
| 70 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 71 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 72 | ··$service_util·$service·$service_operation | ||
| 73 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 74 | else | ||
| 75 | ··$service_util·$service_operation·$service | ||
| 76 | ··$service_util·$service_state·$service | ||
| 77 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 78 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 79 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 80 | ··$service_util·reset-failed·$service | ||
| 81 | fi | ||
| 82 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 83 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 84 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 85 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 86 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 87 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 88 | ··else | ||
| 89 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 90 | ··fi | ||
| 91 | fi | ||
| 92 | } | ||
| 93 | service_command·disable·atd | ||
| 94 | #·END·fix·for·'service_atd_disabled' | ||
| 95 | ############################################################################### | ||
| 96 | #·BEGIN·fix·(2·/·94)·for·'service_rlogin_disabled' | ||
| 97 | ############################################################################### | ||
| 98 | (>&2·echo·"Remediating·rule·2/94:·'service_rlogin_disabled'") | ||
| 99 | #·FIX·FOR·THIS·RULE·IS·MISSING | 27 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 100 | #·END·fix·for·'service_rlogin_disabled' | 28 | #·END·fix·for·'service_rlogin_disabled' |
| 101 | ############################################################################### | 29 | ############################################################################### |
| 102 | #·BEGIN·fix·( | 30 | #·BEGIN·fix·(2·/·94)·for·'service_rexec_disabled' |
| 103 | ############################################################################### | 31 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule· | 32 | (>&2·echo·"Remediating·rule·2/94:·'service_rexec_disabled'") |
| 105 | #·FIX·FOR·THIS·RULE·IS·MISSING | 33 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 106 | #·END·fix·for·'service_rexec_disabled' | 34 | #·END·fix·for·'service_rexec_disabled' |
| 107 | ############################################################################### | 35 | ############################################################################### |
| 108 | #·BEGIN·fix·( | 36 | #·BEGIN·fix·(3·/·94)·for·'service_rsh_disabled' |
| 109 | ############################################################################### | 37 | ############################################################################### |
| 110 | (>&2·echo·"Remediating·rule· | 38 | (>&2·echo·"Remediating·rule·3/94:·'service_rsh_disabled'") |
| 111 | #·FIX·FOR·THIS·RULE·IS·MISSING | 39 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 112 | #·END·fix·for·'service_rsh_disabled' | 40 | #·END·fix·for·'service_rsh_disabled' |
| 113 | ############################################################################### | 41 | ############################################################################### |
| 114 | #·BEGIN·fix·( | 42 | #·BEGIN·fix·(4·/·94)·for·'package_rsh-server_removed' |
| 115 | ############################################################################### | 43 | ############################################################################### |
| 116 | (>&2·echo·"Remediating·rule· | 44 | (>&2·echo·"Remediating·rule·4/94:·'package_rsh-server_removed'") |
| 117 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 45 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 118 | # | 46 | # |
| 119 | #·Example·Call(s): | 47 | #·Example·Call(s): |
| 120 | # | 48 | # |
| 121 | #·····package_remove·telnet-server | 49 | #·····package_remove·telnet-server |
| 122 | # | 50 | # |
| 123 | function·package_remove·{ | 51 | function·package_remove·{ |
| Offset 165, 17 lines modified | Offset 83, 17 lines modified | ||
| 165 | } | 83 | } |
| 166 | package_remove·rsh-server | 84 | package_remove·rsh-server |
| 167 | #·END·fix·for·'package_rsh-server_removed' | 85 | #·END·fix·for·'package_rsh-server_removed' |
| Max diff block lines reached; 82251/87188 bytes (94.34%) of diff not shown. | |||
| Offset 19, 24 lines modified | Offset 19, 17 lines modified | ||
| 19 | # | 19 | # |
| 20 | #·How·to·apply·this·remediation·role: | 20 | #·How·to·apply·this·remediation·role: |
| 21 | #·$·sudo·./remediation-role.sh | 21 | #·$·sudo·./remediation-role.sh |
| 22 | # | 22 | # |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | ############################################################################### | 24 | ############################################################################### |
| 25 | #·BEGIN·fix·(1·/·186)·for·'s | 25 | #·BEGIN·fix·(1·/·186)·for·'service_ntpd_enabled' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/186:·'s | 27 | (>&2·echo·"Remediating·rule·1/186:·'service_ntpd_enabled'") |
| 28 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 29 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 30 | ############################################################################### | ||
| 31 | #·BEGIN·fix·(2·/·186)·for·'service_ntpd_enabled' | ||
| 32 | ############################################################################### | ||
| 33 | (>&2·echo·"Remediating·rule·2/186:·'service_ntpd_enabled'") | ||
| 34 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 35 | # | 29 | # |
| 36 | #·Example·Call(s): | 30 | #·Example·Call(s): |
| 37 | # | 31 | # |
| 38 | #·····service_command·enable·bluetooth | 32 | #·····service_command·enable·bluetooth |
| 39 | #·····service_command·disable·bluetooth.service | 33 | #·····service_command·disable·bluetooth.service |
| 40 | # | 34 | # |
| Offset 108, 260 lines modified | Offset 101, 45 lines modified | ||
| 108 | } | 101 | } |
| 109 | service_command·enable·ntpd | 102 | service_command·enable·ntpd |
| 110 | #·END·fix·for·'service_ntpd_enabled' | 103 | #·END·fix·for·'service_ntpd_enabled' |
| 111 | ############################################################################### | 104 | ############################################################################### |
| 112 | #·BEGIN·fix·( | 105 | #·BEGIN·fix·(2·/·186)·for·'ntpd_specify_remote_server' |
| 113 | ############################################################################### | 106 | ############################################################################### |
| 114 | (>&2·echo·"Remediating·rule· | 107 | (>&2·echo·"Remediating·rule·2/186:·'ntpd_specify_remote_server'") |
| 115 | #·FIX·FOR·THIS·RULE·IS·MISSING | 108 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 116 | #·END·fix·for·'ntpd_specify_remote_server' | 109 | #·END·fix·for·'ntpd_specify_remote_server' |
| 117 | ############################################################################### | 110 | ############################################################################### |
| 118 | #·BEGIN·fix·( | 111 | #·BEGIN·fix·(3·/·186)·for·'service_rlogin_disabled' |
| 119 | ############################################################################### | ||
| 120 | (>&2·echo·"Remediating·rule·4/186:·'service_crond_enabled'") | ||
| 121 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 122 | # | ||
| 123 | #·Example·Call(s): | ||
| 124 | # | ||
| 125 | #·····service_command·enable·bluetooth | ||
| 126 | #·····service_command·disable·bluetooth.service | ||
| 127 | # | ||
| 128 | #·····Using·xinetd: | ||
| 129 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 130 | # | ||
| 131 | function·service_command·{ | ||
| 132 | #·Load·function·arguments·into·local·variables | ||
| 133 | local·service_state=$1 | ||
| 134 | local·service=$2 | ||
| 135 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 136 | #·Check·sanity·of·the·input | ||
| 137 | if·[·$#·-lt·"2"·] | ||
| 138 | then | ||
| 139 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 140 | ··echo | ||
| 141 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 142 | ··echo·"as·the·last·argument"·· | ||
| 143 | ··echo·"Aborting." | ||
| 144 | ··exit·1 | ||
| 145 | fi | ||
| 146 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 147 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 148 | ··service_util="/usr/bin/systemctl" | ||
| 149 | else | ||
| 150 | ··service_util="/sbin/service" | ||
| 151 | ··chkconfig_util="/sbin/chkconfig" | ||
| 152 | fi | ||
| 153 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 154 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 155 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 156 | ··service_state="enable" | ||
| 157 | ··service_operation="start" | ||
| 158 | ··chkconfig_state="on" | ||
| 159 | else | ||
| 160 | ··service_state="disable" | ||
| 161 | ··service_operation="stop" | ||
| 162 | ··chkconfig_state="off" | ||
| 163 | fi | ||
| 164 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 165 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 166 | ··$service_util·$service·$service_operation | ||
| 167 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 168 | else | ||
| 169 | ··$service_util·$service_operation·$service | ||
| 170 | ··$service_util·$service_state·$service | ||
| 171 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 172 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 173 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 174 | ··$service_util·reset-failed·$service | ||
| 175 | fi | ||
| 176 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 177 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 178 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 179 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 180 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 181 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 182 | ··else | ||
| 183 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 184 | ··fi | ||
| 185 | fi | ||
| 186 | } | ||
| 187 | service_command·enable·crond | ||
| 188 | #·END·fix·for·'service_crond_enabled' | ||
| 189 | ############################################################################### | ||
| 190 | #·BEGIN·fix·(5·/·186)·for·'service_atd_disabled' | ||
| 191 | ############################################################################### | ||
| 192 | (>&2·echo·"Remediating·rule·5/186:·'service_atd_disabled'") | ||
| 193 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 194 | # | ||
| 195 | #·Example·Call(s): | ||
| Max diff block lines reached; 435598/444374 bytes (98.03%) of diff not shown. | |||
| Offset 109, 202 lines modified | Offset 109, 38 lines modified | ||
| 109 | #·BEGIN·fix·(2·/·182)·for·'ntpd_specify_remote_server' | 109 | #·BEGIN·fix·(2·/·182)·for·'ntpd_specify_remote_server' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | (>&2·echo·"Remediating·rule·2/182:·'ntpd_specify_remote_server'") | 111 | (>&2·echo·"Remediating·rule·2/182:·'ntpd_specify_remote_server'") |
| 112 | #·FIX·FOR·THIS·RULE·IS·MISSING | 112 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 113 | #·END·fix·for·'ntpd_specify_remote_server' | 113 | #·END·fix·for·'ntpd_specify_remote_server' |
| 114 | ############################################################################### | 114 | ############################################################################### |
| 115 | #·BEGIN·fix·(3·/·182)·for·'service_ | 115 | #·BEGIN·fix·(3·/·182)·for·'service_rlogin_disabled' |
| 116 | ############################################################################### | 116 | ############################################################################### |
| 117 | (>&2·echo·"Remediating·rule·3/182:·'service_ | 117 | (>&2·echo·"Remediating·rule·3/182:·'service_rlogin_disabled'") |
| 118 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 119 | # | ||
| 120 | #·Example·Call(s): | ||
| 121 | # | ||
| 122 | #·····service_command·enable·bluetooth | ||
| 123 | #·····service_command·disable·bluetooth.service | ||
| 124 | # | ||
| 125 | #·····Using·xinetd: | ||
| 126 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 127 | # | ||
| 128 | function·service_command·{ | ||
| 129 | #·Load·function·arguments·into·local·variables | ||
| 130 | local·service_state=$1 | ||
| 131 | local·service=$2 | ||
| 132 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 133 | #·Check·sanity·of·the·input | ||
| 134 | if·[·$#·-lt·"2"·] | ||
| 135 | then | ||
| 136 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 137 | ··echo | ||
| 138 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 139 | ··echo·"as·the·last·argument"·· | ||
| 140 | ··echo·"Aborting." | ||
| 141 | ··exit·1 | ||
| 142 | fi | ||
| 143 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 144 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 145 | ··service_util="/usr/bin/systemctl" | ||
| 146 | else | ||
| 147 | ··service_util="/sbin/service" | ||
| 148 | ··chkconfig_util="/sbin/chkconfig" | ||
| 149 | fi | ||
| 150 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 151 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 152 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 153 | ··service_state="enable" | ||
| 154 | ··service_operation="start" | ||
| 155 | ··chkconfig_state="on" | ||
| 156 | else | ||
| 157 | ··service_state="disable" | ||
| 158 | ··service_operation="stop" | ||
| 159 | ··chkconfig_state="off" | ||
| 160 | fi | ||
| 161 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 162 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 163 | ··$service_util·$service·$service_operation | ||
| 164 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 165 | else | ||
| 166 | ··$service_util·$service_operation·$service | ||
| 167 | ··$service_util·$service_state·$service | ||
| 168 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 169 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 170 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 171 | ··$service_util·reset-failed·$service | ||
| 172 | fi | ||
| 173 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 174 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 175 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 176 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 177 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 178 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 179 | ··else | ||
| 180 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 181 | ··fi | ||
| 182 | fi | ||
| 183 | } | ||
| 184 | service_command·enable·crond | ||
| 185 | #·END·fix·for·'service_crond_enabled' | ||
| 186 | ############################################################################### | ||
| 187 | #·BEGIN·fix·(4·/·182)·for·'service_atd_disabled' | ||
| 188 | ############################################################################### | ||
| 189 | (>&2·echo·"Remediating·rule·4/182:·'service_atd_disabled'") | ||
| 190 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 191 | # | ||
| 192 | #·Example·Call(s): | ||
| 193 | # | ||
| 194 | #·····service_command·enable·bluetooth | ||
| 195 | #·····service_command·disable·bluetooth.service | ||
| 196 | # | ||
| 197 | #·····Using·xinetd: | ||
| 198 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 199 | # | ||
| 200 | function·service_command·{ | ||
| 201 | #·Load·function·arguments·into·local·variables | ||
| 202 | local·service_state=$1 | ||
| 203 | local·service=$2 | ||
| 204 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 205 | #·Check·sanity·of·the·input | ||
| 206 | if·[·$#·-lt·"2"·] | ||
| 207 | then | ||
| 208 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 209 | ··echo | ||
| 210 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 211 | ··echo·"as·the·last·argument"·· | ||
| 212 | ··echo·"Aborting." | ||
| 213 | ··exit·1 | ||
| 214 | fi | ||
| 215 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 216 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 217 | ··service_util="/usr/bin/systemctl" | ||
| 218 | else | ||
| 219 | ··service_util="/sbin/service" | ||
| 220 | ··chkconfig_util="/sbin/chkconfig" | ||
| 221 | fi | ||
| Max diff block lines reached; 433117/439084 bytes (98.64%) of diff not shown. | |||
| Offset 25, 38 lines modified | Offset 25, 31 lines modified | ||
| 25 | # | 25 | # |
| 26 | #·How·to·apply·this·remediation·role: | 26 | #·How·to·apply·this·remediation·role: |
| 27 | #·$·sudo·./remediation-role.sh | 27 | #·$·sudo·./remediation-role.sh |
| 28 | # | 28 | # |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | #·BEGIN·fix·(1·/·250)·for·'ftp_ | 31 | #·BEGIN·fix·(1·/·250)·for·'ftp_present_banner' |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | (>&2·echo·"Remediating·rule·1/250:·'ftp_ | 33 | (>&2·echo·"Remediating·rule·1/250:·'ftp_present_banner'") |
| 34 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 35 | #·END·fix·for·'ftp_log_transactions' | ||
| 36 | ############################################################################### | ||
| 37 | #·BEGIN·fix·(2·/·250)·for·'ftp_present_banner' | ||
| 38 | ############################################################################### | ||
| 39 | (>&2·echo·"Remediating·rule·2/250:·'ftp_present_banner'") | ||
| 40 | #·FIX·FOR·THIS·RULE·IS·MISSING | 34 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 41 | #·END·fix·for·'ftp_present_banner' | 35 | #·END·fix·for·'ftp_present_banner' |
| 42 | ############################################################################### | 36 | ############################################################################### |
| 43 | #·BEGIN·fix·( | 37 | #·BEGIN·fix·(2·/·250)·for·'ftp_log_transactions' |
| 44 | ############################################################################### | 38 | ############################################################################### |
| 45 | (>&2·echo·"Remediating·rule· | 39 | (>&2·echo·"Remediating·rule·2/250:·'ftp_log_transactions'") |
| 46 | #·FIX·FOR·THIS·RULE·IS·MISSING | 40 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 47 | #·END·fix·for·' | 41 | #·END·fix·for·'ftp_log_transactions' |
| 48 | ############################################################################### | 42 | ############################################################################### |
| 49 | #·BEGIN·fix·( | 43 | #·BEGIN·fix·(3·/·250)·for·'service_ntpd_enabled' |
| 50 | ############################################################################### | 44 | ############################################################################### |
| 51 | (>&2·echo·"Remediating·rule· | 45 | (>&2·echo·"Remediating·rule·3/250:·'service_ntpd_enabled'") |
| 52 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 46 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 53 | # | 47 | # |
| 54 | #·Example·Call(s): | 48 | #·Example·Call(s): |
| 55 | # | 49 | # |
| 56 | #·····service_command·enable·bluetooth | 50 | #·····service_command·enable·bluetooth |
| 57 | #·····service_command·disable·bluetooth.service | 51 | #·····service_command·disable·bluetooth.service |
| 58 | # | 52 | # |
| Offset 128, 274 lines modified | Offset 121, 59 lines modified | ||
| 128 | } | 121 | } |
| 129 | service_command·enable·ntpd | 122 | service_command·enable·ntpd |
| 130 | #·END·fix·for·'service_ntpd_enabled' | 123 | #·END·fix·for·'service_ntpd_enabled' |
| 131 | ############################################################################### | 124 | ############################################################################### |
| 132 | #·BEGIN·fix·( | 125 | #·BEGIN·fix·(4·/·250)·for·'ntpd_specify_remote_server' |
| 133 | ############################################################################### | 126 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule· | 127 | (>&2·echo·"Remediating·rule·4/250:·'ntpd_specify_remote_server'") |
| 135 | #·FIX·FOR·THIS·RULE·IS·MISSING | 128 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 136 | #·END·fix·for·'ntpd_specify_remote_server' | 129 | #·END·fix·for·'ntpd_specify_remote_server' |
| 137 | ############################################################################### | 130 | ############################################################################### |
| 138 | #·BEGIN·fix·( | 131 | #·BEGIN·fix·(5·/·250)·for·'snmpd_use_newer_protocol' |
| 139 | ############################################################################### | 132 | ############################################################################### |
| 140 | (>&2·echo·"Remediating·rule· | 133 | (>&2·echo·"Remediating·rule·5/250:·'snmpd_use_newer_protocol'") |
| 141 | #·FIX·FOR·THIS·RULE·IS·MISSING | 134 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 142 | #·END·fix·for·'snmpd_use_newer_protocol' | 135 | #·END·fix·for·'snmpd_use_newer_protocol' |
| 143 | ############################################################################### | 136 | ############################################################################### |
| 144 | #·BEGIN·fix·( | 137 | #·BEGIN·fix·(6·/·250)·for·'snmpd_not_default_password' |
| 145 | ############################################################################### | 138 | ############################################################################### |
| 146 | (>&2·echo·"Remediating·rule· | 139 | (>&2·echo·"Remediating·rule·6/250:·'snmpd_not_default_password'") |
| 147 | #·FIX·FOR·THIS·RULE·IS·MISSING | 140 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 148 | #·END·fix·for·'snmpd_not_default_password' | 141 | #·END·fix·for·'snmpd_not_default_password' |
| 149 | ############################################################################### | 142 | ############################################################################### |
| 150 | #·BEGIN·fix·( | 143 | #·BEGIN·fix·(7·/·250)·for·'service_rlogin_disabled' |
| 151 | ############################################################################### | ||
| 152 | (>&2·echo·"Remediating·rule·8/250:·'service_crond_enabled'") | ||
| 153 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 154 | # | ||
| 155 | #·Example·Call(s): | ||
| 156 | # | ||
| 157 | #·····service_command·enable·bluetooth | ||
| 158 | #·····service_command·disable·bluetooth.service | ||
| 159 | # | ||
| 160 | #·····Using·xinetd: | ||
| 161 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 162 | # | ||
| 163 | function·service_command·{ | ||
| 164 | #·Load·function·arguments·into·local·variables | ||
| 165 | local·service_state=$1 | ||
| 166 | local·service=$2 | ||
| 167 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 168 | #·Check·sanity·of·the·input | ||
| 169 | if·[·$#·-lt·"2"·] | ||
| 170 | then | ||
| 171 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 172 | ··echo | ||
| 173 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 174 | ··echo·"as·the·last·argument"·· | ||
| 175 | ··echo·"Aborting." | ||
| 176 | ··exit·1 | ||
| 177 | fi | ||
| 178 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 179 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 180 | ··service_util="/usr/bin/systemctl" | ||
| 181 | else | ||
| 182 | ··service_util="/sbin/service" | ||
| 183 | ··chkconfig_util="/sbin/chkconfig" | ||
| 184 | fi | ||
| 185 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 186 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 187 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 188 | ··service_state="enable" | ||
| 189 | ··service_operation="start" | ||
| 190 | ··chkconfig_state="on" | ||
| 191 | else | ||
| 192 | ··service_state="disable" | ||
| 193 | ··service_operation="stop" | ||
| 194 | ··chkconfig_state="off" | ||
| 195 | fi | ||
| 196 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 197 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 198 | ··$service_util·$service·$service_operation | ||
| 199 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 200 | else | ||
| 201 | ··$service_util·$service_operation·$service | ||
| 202 | ··$service_util·$service_state·$service | ||
| 203 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 204 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| Max diff block lines reached; 606625/617308 bytes (98.27%) of diff not shown. | |||
| Offset 271, 143 lines modified | Offset 271, 17 lines modified | ||
| 271 | } | 271 | } |
| 272 | package_remove·httpd | 272 | package_remove·httpd |
| 273 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 274 | ############################################################################### | 274 | ############################################################################### |
| 275 | #·BEGIN·fix·(5·/·223)·for·' | 275 | #·BEGIN·fix·(5·/·223)·for·'service_ntpd_enabled' |
| 276 | ############################################################################### | 276 | ############################################################################### |
| 277 | (>&2·echo·"Remediating·rule·5/223:·' | 277 | (>&2·echo·"Remediating·rule·5/223:·'service_ntpd_enabled'") |
| 278 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 279 | # | ||
| 280 | #·Example·Call(s): | ||
| 281 | # | ||
| 282 | #·····package_remove·telnet-server | ||
| 283 | # | ||
| 284 | function·package_remove·{ | ||
| 285 | #·Load·function·arguments·into·local·variables | ||
| 286 | local·package="$1" | ||
| 287 | #·Check·sanity·of·the·input | ||
| 288 | if·[·$#·-ne·"1"·] | ||
| 289 | then | ||
| 290 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 291 | ··echo·"Aborting." | ||
| 292 | ··exit·1 | ||
| 293 | fi | ||
| 294 | if·which·dnf·;·then | ||
| 295 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 296 | ····dnf·remove·-y·"$package" | ||
| 297 | ··fi | ||
| 298 | elif·which·yum·;·then | ||
| 299 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 300 | ····yum·remove·-y·"$package" | ||
| 301 | ··fi | ||
| 302 | elif·which·apt-get·;·then | ||
| 303 | ··apt-get·remove·-y·"$package" | ||
| 304 | else | ||
| 305 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 306 | ··echo·"Aborting." | ||
| 307 | ··exit·1 | ||
| 308 | fi | ||
| 309 | } | ||
| 310 | package_remove·dhcp | ||
| 311 | #·END·fix·for·'package_dhcp_removed' | ||
| 312 | ############################################################################### | ||
| 313 | #·BEGIN·fix·(6·/·223)·for·'service_dhcpd_disabled' | ||
| 314 | ############################################################################### | ||
| 315 | (>&2·echo·"Remediating·rule·6/223:·'service_dhcpd_disabled'") | ||
| 316 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 317 | # | ||
| 318 | #·Example·Call(s): | ||
| 319 | # | ||
| 320 | #·····service_command·enable·bluetooth | ||
| 321 | #·····service_command·disable·bluetooth.service | ||
| 322 | # | ||
| 323 | #·····Using·xinetd: | ||
| 324 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 325 | # | ||
| 326 | function·service_command·{ | ||
| 327 | #·Load·function·arguments·into·local·variables | ||
| 328 | local·service_state=$1 | ||
| 329 | local·service=$2 | ||
| 330 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 331 | #·Check·sanity·of·the·input | ||
| 332 | if·[·$#·-lt·"2"·] | ||
| 333 | then | ||
| 334 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 335 | ··echo | ||
| 336 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 337 | ··echo·"as·the·last·argument"·· | ||
| 338 | ··echo·"Aborting." | ||
| 339 | ··exit·1 | ||
| 340 | fi | ||
| 341 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 342 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 343 | ··service_util="/usr/bin/systemctl" | ||
| 344 | else | ||
| 345 | ··service_util="/sbin/service" | ||
| 346 | ··chkconfig_util="/sbin/chkconfig" | ||
| 347 | fi | ||
| 348 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 349 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 350 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 351 | ··service_state="enable" | ||
| 352 | ··service_operation="start" | ||
| 353 | ··chkconfig_state="on" | ||
| 354 | else | ||
| 355 | ··service_state="disable" | ||
| 356 | ··service_operation="stop" | ||
| 357 | ··chkconfig_state="off" | ||
| 358 | fi | ||
| 359 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 360 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 361 | ··$service_util·$service·$service_operation | ||
| 362 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 363 | else | ||
| 364 | ··$service_util·$service_operation·$service | ||
| 365 | ··$service_util·$service_state·$service | ||
| 366 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 367 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 368 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 369 | ··$service_util·reset-failed·$service | ||
| 370 | fi | ||
| 371 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 372 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 373 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 374 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 375 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 376 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 377 | ··else | ||
| 378 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 379 | ··fi | ||
| 380 | fi | ||
| Max diff block lines reached; 492856/497138 bytes (99.14%) of diff not shown. | |||
| Offset 90, 48 lines modified | Offset 90, 48 lines modified | ||
| 90 | # | 90 | # |
| 91 | #·Stop·rlogin.socket·if·currently·running | 91 | #·Stop·rlogin.socket·if·currently·running |
| 92 | # | 92 | # |
| 93 | systemctl·stop·rlogin.socket | 93 | systemctl·stop·rlogin.socket |
| 94 | #·END·fix·for·'service_rlogin_disabled' | 94 | #·END·fix·for·'service_rlogin_disabled' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | #·BEGIN·fix·(3·/·213)·for·'service_r | 96 | #·BEGIN·fix·(3·/·213)·for·'service_rsh_disabled' |
| 97 | ############################################################################### | 97 | ############################################################################### |
| 98 | (>&2·echo·"Remediating·rule·3/213:·'service_r | 98 | (>&2·echo·"Remediating·rule·3/213:·'service_rsh_disabled'") |
| 99 | grep·-qi·disable·/etc/xinetd.d/r | 99 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 100 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 100 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 101 | # | 101 | # |
| 102 | #·Disable·r | 102 | #·Disable·rsh.socket·for·all·systemd·targets |
| 103 | # | 103 | # |
| 104 | systemctl·disable·r | 104 | systemctl·disable·rsh.socket |
| 105 | # | 105 | # |
| 106 | #·Stop·r | 106 | #·Stop·rsh.socket·if·currently·running |
| 107 | # | 107 | # |
| 108 | systemctl·stop·r | 108 | systemctl·stop·rsh.socket |
| 109 | #·END·fix·for·'service_r | 109 | #·END·fix·for·'service_rsh_disabled' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | #·BEGIN·fix·(4·/·213)·for·'service_r | 111 | #·BEGIN·fix·(4·/·213)·for·'service_rexec_disabled' |
| 112 | ############################################################################### | 112 | ############################################################################### |
| 113 | (>&2·echo·"Remediating·rule·4/213:·'service_r | 113 | (>&2·echo·"Remediating·rule·4/213:·'service_rexec_disabled'") |
| 114 | grep·-qi·disable·/etc/xinetd.d/r | 114 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 115 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 115 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 116 | # | 116 | # |
| 117 | #·Disable·r | 117 | #·Disable·rexec.socket·for·all·systemd·targets |
| 118 | # | 118 | # |
| 119 | systemctl·disable·r | 119 | systemctl·disable·rexec.socket |
| 120 | # | 120 | # |
| 121 | #·Stop·r | 121 | #·Stop·rexec.socket·if·currently·running |
| 122 | # | 122 | # |
| 123 | systemctl·stop·r | 123 | systemctl·stop·rexec.socket |
| 124 | #·END·fix·for·'service_r | 124 | #·END·fix·for·'service_rexec_disabled' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | #·BEGIN·fix·(5·/·213)·for·'no_rsh_trust_files' | 126 | #·BEGIN·fix·(5·/·213)·for·'no_rsh_trust_files' |
| 127 | ############################################################################### | 127 | ############################################################################### |
| 128 | (>&2·echo·"Remediating·rule·5/213:·'no_rsh_trust_files'") | 128 | (>&2·echo·"Remediating·rule·5/213:·'no_rsh_trust_files'") |
| 129 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; | 129 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; |
| Offset 369, 61 lines modified | Offset 369, 17 lines modified | ||
| 369 | } | 369 | } |
| 370 | service_command·disable·tftp | 370 | service_command·disable·tftp |
| 371 | #·END·fix·for·'service_tftp_disabled' | 371 | #·END·fix·for·'service_tftp_disabled' |
| 372 | ############################################################################### | 372 | ############################################################################### |
| 373 | #·BEGIN·fix·(11·/·213)·for·' | 373 | #·BEGIN·fix·(11·/·213)·for·'service_xinetd_disabled' |
| 374 | ############################################################################### | ||
| 375 | (>&2·echo·"Remediating·rule·11/213:·'package_tcp_wrappers_installed'") | ||
| 376 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 377 | # | ||
| 378 | #·Example·Call(s): | ||
| 379 | # | ||
| 380 | #·····package_install·aide | ||
| 381 | # | ||
| 382 | function·package_install·{ | ||
| 383 | #·Load·function·arguments·into·local·variables | ||
| 384 | local·package="$1" | ||
| 385 | #·Check·sanity·of·the·input | ||
| 386 | if·[·$#·-ne·"1"·] | ||
| 387 | then | ||
| 388 | ··echo·"Usage:·package_install·'package_name'" | ||
| 389 | ··echo·"Aborting." | ||
| 390 | ··exit·1 | ||
| 391 | fi | ||
| 392 | if·which·dnf·;·then | ||
| 393 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 394 | ····dnf·install·-y·"$package" | ||
| 395 | ··fi | ||
| 396 | elif·which·yum·;·then | ||
| 397 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 398 | ····yum·install·-y·"$package" | ||
| 399 | ··fi | ||
| 400 | elif·which·apt-get·;·then | ||
| 401 | ··apt-get·install·-y·"$package" | ||
| 402 | else | ||
| 403 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 404 | ··echo·"Aborting." | ||
| 405 | ··exit·1 | ||
| 406 | fi | ||
| 407 | } | ||
| 408 | package_install·tcp_wrappers | ||
| 409 | #·END·fix·for·'package_tcp_wrappers_installed' | ||
| 410 | ############################################################################### | ||
| 411 | #·BEGIN·fix·(12·/·213)·for·'service_xinetd_disabled' | ||
| 412 | ############################################################################### | 374 | ############################################################################### |
| 413 | (>&2·echo·"Remediating·rule·1 | 375 | (>&2·echo·"Remediating·rule·11/213:·'service_xinetd_disabled'") |
| 414 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 376 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 415 | # | 377 | # |
| 416 | #·Example·Call(s): | 378 | #·Example·Call(s): |
| 417 | # | 379 | # |
| 418 | #·····service_command·enable·bluetooth | 380 | #·····service_command·enable·bluetooth |
| 419 | #·····service_command·disable·bluetooth.service | 381 | #·····service_command·disable·bluetooth.service |
| 420 | # | 382 | # |
| Offset 495, 14 lines modified | Offset 451, 58 lines modified | ||
| 495 | } | 451 | } |
| 496 | service_command·disable·xinetd | 452 | service_command·disable·xinetd |
| 497 | #·END·fix·for·'service_xinetd_disabled' | 453 | #·END·fix·for·'service_xinetd_disabled' |
| 498 | ############################################################################### | 454 | ############################################################################### |
| 455 | #·BEGIN·fix·(12·/·213)·for·'package_tcp_wrappers_installed' | ||
| 456 | ############################################################################### | ||
| 457 | (>&2·echo·"Remediating·rule·12/213:·'package_tcp_wrappers_installed'") | ||
| 458 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 459 | # | ||
| 460 | #·Example·Call(s): | ||
| 461 | # | ||
| 462 | #·····package_install·aide | ||
| 463 | # | ||
| Max diff block lines reached; 140250/145947 bytes (96.10%) of diff not shown. | |||
| Offset 969, 28 lines modified | Offset 969, 28 lines modified | ||
| 969 | ··fi | 969 | ··fi |
| 970 | } | 970 | } |
| 971 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_source_route'·"$sysctl_net_ipv4_conf_default_accept_source_route_value"·'CCE-80162-1' | 971 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_source_route'·"$sysctl_net_ipv4_conf_default_accept_source_route_value"·'CCE-80162-1' |
| 972 | #·END·fix·for·'sysctl_net_ipv4_conf_default_accept_source_route' | 972 | #·END·fix·for·'sysctl_net_ipv4_conf_default_accept_source_route' |
| 973 | ############################################################################### | 973 | ############################################################################### |
| 974 | #·BEGIN·fix·(15·/·102)·for·'sysctl_net_ipv4_ | 974 | #·BEGIN·fix·(15·/·102)·for·'sysctl_net_ipv4_conf_default_accept_redirects' |
| 975 | ############################################################################### | 975 | ############################################################################### |
| 976 | (>&2·echo·"Remediating·rule·15/102:·'sysctl_net_ipv4_ | 976 | (>&2·echo·"Remediating·rule·15/102:·'sysctl_net_ipv4_conf_default_accept_redirects'") |
| 977 | sysctl_net_ipv4_ | 977 | sysctl_net_ipv4_conf_default_accept_redirects_value="0" |
| 978 | # | 978 | # |
| 979 | #·Set·runtime·for·net.ipv4. | 979 | #·Set·runtime·for·net.ipv4.conf.default.accept_redirects |
| 980 | # | 980 | # |
| 981 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 981 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf.default.accept_redirects=$sysctl_net_ipv4_conf_default_accept_redirects_value |
| 982 | # | 982 | # |
| 983 | #·If·net.ipv4. | 983 | #·If·net.ipv4.conf.default.accept_redirects·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 984 | #» else,·add·"net.ipv4. | 984 | #» else,·add·"net.ipv4.conf.default.accept_redirects·=·value"·to·/etc/sysctl.conf |
| 985 | # | 985 | # |
| 986 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 986 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 987 | #·it·does·not·exist. | 987 | #·it·does·not·exist. |
| 988 | # | 988 | # |
| 989 | #·Expects·arguments: | 989 | #·Expects·arguments: |
| 990 | # | 990 | # |
| 991 | #·config_file:» » Configuration·file·that·will·be·modified | 991 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1062, 32 lines modified | Offset 1062, 32 lines modified | ||
| 1062 | ··else | 1062 | ··else |
| 1063 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1063 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1064 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1064 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1065 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1065 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1066 | ··fi | 1066 | ··fi |
| 1067 | } | 1067 | } |
| 1068 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4. | 1068 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.default.accept_redirects'·"$sysctl_net_ipv4_conf_default_accept_redirects_value"·'CCE-80163-9' |
| 1069 | #·END·fix·for·'sysctl_net_ipv4_ | 1069 | #·END·fix·for·'sysctl_net_ipv4_conf_default_accept_redirects' |
| 1070 | ############################################################################### | 1070 | ############################################################################### |
| 1071 | #·BEGIN·fix·(16·/·102)·for·'sysctl_net_ipv4_conf_ | 1071 | #·BEGIN·fix·(16·/·102)·for·'sysctl_net_ipv4_conf_all_accept_redirects' |
| 1072 | ############################################################################### | 1072 | ############################################################################### |
| 1073 | (>&2·echo·"Remediating·rule·16/102:·'sysctl_net_ipv4_conf_ | 1073 | (>&2·echo·"Remediating·rule·16/102:·'sysctl_net_ipv4_conf_all_accept_redirects'") |
| 1074 | sysctl_net_ipv4_conf_ | 1074 | sysctl_net_ipv4_conf_all_accept_redirects_value="0" |
| 1075 | # | 1075 | # |
| 1076 | #·Set·runtime·for·net.ipv4.conf. | 1076 | #·Set·runtime·for·net.ipv4.conf.all.accept_redirects |
| 1077 | # | 1077 | # |
| 1078 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf. | 1078 | /sbin/sysctl·-q·-n·-w·net.ipv4.conf.all.accept_redirects=$sysctl_net_ipv4_conf_all_accept_redirects_value |
| 1079 | # | 1079 | # |
| 1080 | #·If·net.ipv4.conf. | 1080 | #·If·net.ipv4.conf.all.accept_redirects·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1081 | #» else,·add·"net.ipv4.conf. | 1081 | #» else,·add·"net.ipv4.conf.all.accept_redirects·=·value"·to·/etc/sysctl.conf |
| 1082 | # | 1082 | # |
| 1083 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1083 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1084 | #·it·does·not·exist. | 1084 | #·it·does·not·exist. |
| 1085 | # | 1085 | # |
| 1086 | #·Expects·arguments: | 1086 | #·Expects·arguments: |
| 1087 | # | 1087 | # |
| 1088 | #·config_file:» » Configuration·file·that·will·be·modified | 1088 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1159, 32 lines modified | Offset 1159, 32 lines modified | ||
| 1159 | ··else | 1159 | ··else |
| 1160 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1160 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1161 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1161 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1162 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1162 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1163 | ··fi | 1163 | ··fi |
| 1164 | } | 1164 | } |
| 1165 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf. | 1165 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.conf.all.accept_redirects'·"$sysctl_net_ipv4_conf_all_accept_redirects_value"·'CCE-80158-9' |
| 1166 | #·END·fix·for·'sysctl_net_ipv4_conf_ | 1166 | #·END·fix·for·'sysctl_net_ipv4_conf_all_accept_redirects' |
| 1167 | ############################################################################### | 1167 | ############################################################################### |
| 1168 | #·BEGIN·fix·(17·/·102)·for·'sysctl_net_ipv4_ | 1168 | #·BEGIN·fix·(17·/·102)·for·'sysctl_net_ipv4_icmp_echo_ignore_broadcasts' |
| 1169 | ############################################################################### | 1169 | ############################################################################### |
| 1170 | (>&2·echo·"Remediating·rule·17/102:·'sysctl_net_ipv4_ | 1170 | (>&2·echo·"Remediating·rule·17/102:·'sysctl_net_ipv4_icmp_echo_ignore_broadcasts'") |
| 1171 | sysctl_net_ipv4_ | 1171 | sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value="1" |
| 1172 | # | 1172 | # |
| 1173 | #·Set·runtime·for·net.ipv4. | 1173 | #·Set·runtime·for·net.ipv4.icmp_echo_ignore_broadcasts |
| 1174 | # | 1174 | # |
| 1175 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 1175 | /sbin/sysctl·-q·-n·-w·net.ipv4.icmp_echo_ignore_broadcasts=$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value |
| 1176 | # | 1176 | # |
| 1177 | #·If·net.ipv4. | 1177 | #·If·net.ipv4.icmp_echo_ignore_broadcasts·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1178 | #» else,·add·"net.ipv4. | 1178 | #» else,·add·"net.ipv4.icmp_echo_ignore_broadcasts·=·value"·to·/etc/sysctl.conf |
| 1179 | # | 1179 | # |
| 1180 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1180 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1181 | #·it·does·not·exist. | 1181 | #·it·does·not·exist. |
| 1182 | # | 1182 | # |
| 1183 | #·Expects·arguments: | 1183 | #·Expects·arguments: |
| 1184 | # | 1184 | # |
| 1185 | #·config_file:» » Configuration·file·that·will·be·modified | 1185 | #·config_file:» » Configuration·file·that·will·be·modified |
| Offset 1256, 32 lines modified | Offset 1256, 32 lines modified | ||
| 1256 | ··else | 1256 | ··else |
| 1257 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 1257 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 1258 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 1258 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 1259 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 1259 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 1260 | ··fi | 1260 | ··fi |
| 1261 | } | 1261 | } |
| 1262 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4. | 1262 | replace_or_append·'/etc/sysctl.conf'·'^net.ipv4.icmp_echo_ignore_broadcasts'·"$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"·'CCE-80165-4' |
| 1263 | #·END·fix·for·'sysctl_net_ipv4_ | 1263 | #·END·fix·for·'sysctl_net_ipv4_icmp_echo_ignore_broadcasts' |
| 1264 | ############################################################################### | 1264 | ############################################################################### |
| 1265 | #·BEGIN·fix·(18·/·102)·for·'sysctl_net_ipv4_ | 1265 | #·BEGIN·fix·(18·/·102)·for·'sysctl_net_ipv4_tcp_syncookies' |
| 1266 | ############################################################################### | 1266 | ############################################################################### |
| 1267 | (>&2·echo·"Remediating·rule·18/102:·'sysctl_net_ipv4_ | 1267 | (>&2·echo·"Remediating·rule·18/102:·'sysctl_net_ipv4_tcp_syncookies'") |
| 1268 | sysctl_net_ipv4_ | 1268 | sysctl_net_ipv4_tcp_syncookies_value="1" |
| 1269 | # | 1269 | # |
| 1270 | #·Set·runtime·for·net.ipv4. | 1270 | #·Set·runtime·for·net.ipv4.tcp_syncookies |
| 1271 | # | 1271 | # |
| 1272 | /sbin/sysctl·-q·-n·-w·net.ipv4. | 1272 | /sbin/sysctl·-q·-n·-w·net.ipv4.tcp_syncookies=$sysctl_net_ipv4_tcp_syncookies_value |
| 1273 | # | 1273 | # |
| 1274 | #·If·net.ipv4. | 1274 | #·If·net.ipv4.tcp_syncookies·present·in·/etc/sysctl.conf,·change·value·to·appropriate·value |
| 1275 | #» else,·add·"net.ipv4. | 1275 | #» else,·add·"net.ipv4.tcp_syncookies·=·value"·to·/etc/sysctl.conf |
| 1276 | # | 1276 | # |
| 1277 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 1277 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 1278 | #·it·does·not·exist. | 1278 | #·it·does·not·exist. |
| 1279 | # | 1279 | # |
| 1280 | #·Expects·arguments: | 1280 | #·Expects·arguments: |
| 1281 | # | 1281 | # |
| 1282 | #·config_file:» » Configuration·file·that·will·be·modified | 1282 | #·config_file:» » Configuration·file·that·will·be·modified |
| Max diff block lines reached; 70926/79104 bytes (89.66%) of diff not shown. | |||
| Offset 88, 48 lines modified | Offset 88, 48 lines modified | ||
| 88 | # | 88 | # |
| 89 | #·Stop·rlogin.socket·if·currently·running | 89 | #·Stop·rlogin.socket·if·currently·running |
| 90 | # | 90 | # |
| 91 | systemctl·stop·rlogin.socket | 91 | systemctl·stop·rlogin.socket |
| 92 | #·END·fix·for·'service_rlogin_disabled' | 92 | #·END·fix·for·'service_rlogin_disabled' |
| 93 | ############################################################################### | 93 | ############################################################################### |
| 94 | #·BEGIN·fix·(3·/·149)·for·'service_r | 94 | #·BEGIN·fix·(3·/·149)·for·'service_rsh_disabled' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | (>&2·echo·"Remediating·rule·3/149:·'service_r | 96 | (>&2·echo·"Remediating·rule·3/149:·'service_rsh_disabled'") |
| 97 | grep·-qi·disable·/etc/xinetd.d/r | 97 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 98 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 98 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 99 | # | 99 | # |
| 100 | #·Disable·r | 100 | #·Disable·rsh.socket·for·all·systemd·targets |
| 101 | # | 101 | # |
| 102 | systemctl·disable·r | 102 | systemctl·disable·rsh.socket |
| 103 | # | 103 | # |
| 104 | #·Stop·r | 104 | #·Stop·rsh.socket·if·currently·running |
| 105 | # | 105 | # |
| 106 | systemctl·stop·r | 106 | systemctl·stop·rsh.socket |
| 107 | #·END·fix·for·'service_r | 107 | #·END·fix·for·'service_rsh_disabled' |
| 108 | ############################################################################### | 108 | ############################################################################### |
| 109 | #·BEGIN·fix·(4·/·149)·for·'service_r | 109 | #·BEGIN·fix·(4·/·149)·for·'service_rexec_disabled' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | (>&2·echo·"Remediating·rule·4/149:·'service_r | 111 | (>&2·echo·"Remediating·rule·4/149:·'service_rexec_disabled'") |
| 112 | grep·-qi·disable·/etc/xinetd.d/r | 112 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 113 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 113 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 114 | # | 114 | # |
| 115 | #·Disable·r | 115 | #·Disable·rexec.socket·for·all·systemd·targets |
| 116 | # | 116 | # |
| 117 | systemctl·disable·r | 117 | systemctl·disable·rexec.socket |
| 118 | # | 118 | # |
| 119 | #·Stop·r | 119 | #·Stop·rexec.socket·if·currently·running |
| 120 | # | 120 | # |
| 121 | systemctl·stop·r | 121 | systemctl·stop·rexec.socket |
| 122 | #·END·fix·for·'service_r | 122 | #·END·fix·for·'service_rexec_disabled' |
| 123 | ############################################################################### | 123 | ############################################################################### |
| 124 | #·BEGIN·fix·(5·/·149)·for·'package_rsh-server_removed' | 124 | #·BEGIN·fix·(5·/·149)·for·'package_rsh-server_removed' |
| 125 | ############################################################################### | 125 | ############################################################################### |
| 126 | (>&2·echo·"Remediating·rule·5/149:·'package_rsh-server_removed'") | 126 | (>&2·echo·"Remediating·rule·5/149:·'package_rsh-server_removed'") |
| 127 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 127 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 128 | # | 128 | # |
| Offset 2482, 29 lines modified | Offset 2482, 29 lines modified | ||
| 2482 | ··fi | 2482 | ··fi |
| 2483 | } | 2483 | } |
| 2484 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUXTYPE='·$var_selinux_policy_name·'CCE-27279-9'·'%s=%s' | 2484 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUXTYPE='·$var_selinux_policy_name·'CCE-27279-9'·'%s=%s' |
| 2485 | #·END·fix·for·'selinux_policytype' | 2485 | #·END·fix·for·'selinux_policytype' |
| 2486 | ############################################################################### | 2486 | ############################################################################### |
| 2487 | #·BEGIN·fix·(44·/·149)·for·' | 2487 | #·BEGIN·fix·(44·/·149)·for·'enable_selinux_bootloader' |
| 2488 | ############################################################################### | ||
| 2489 | (>&2·echo·"Remediating·rule·44/149:·'selinux_confinement_of_daemons'") | ||
| 2490 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 2491 | #·END·fix·for·'selinux_confinement_of_daemons' | ||
| 2492 | ############################################################################### | 2488 | ############################################################################### |
| 2493 | 2489 | (>&2·echo·"Remediating·rule·44/149:·'enable_selinux_bootloader'") | |
| 2494 | ############################################################################### | ||
| 2495 | (>&2·echo·"Remediating·rule·45/149:·'enable_selinux_bootloader'") | ||
| 2496 | sed·-i·--follow-symlinks·"s/selinux=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* | 2490 | sed·-i·--follow-symlinks·"s/selinux=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* |
| 2497 | sed·-i·--follow-symlinks·"s/enforcing=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* | 2491 | sed·-i·--follow-symlinks·"s/enforcing=0//gI"·/etc/default/grub·/etc/grub2.cfg·/etc/grub.d/* |
| 2498 | #·END·fix·for·'enable_selinux_bootloader' | 2492 | #·END·fix·for·'enable_selinux_bootloader' |
| 2499 | ############################################################################### | 2493 | ############################################################################### |
| 2494 | #·BEGIN·fix·(45·/·149)·for·'selinux_confinement_of_daemons' | ||
| 2495 | ############################################################################### | ||
| 2496 | (>&2·echo·"Remediating·rule·45/149:·'selinux_confinement_of_daemons'") | ||
| 2497 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 2498 | #·END·fix·for·'selinux_confinement_of_daemons' | ||
| 2499 | ############################################################################### | ||
| 2500 | #·BEGIN·fix·(46·/·149)·for·'selinux_state' | 2500 | #·BEGIN·fix·(46·/·149)·for·'selinux_state' |
| 2501 | ############################################################################### | 2501 | ############################################################################### |
| 2502 | (>&2·echo·"Remediating·rule·46/149:·'selinux_state'") | 2502 | (>&2·echo·"Remediating·rule·46/149:·'selinux_state'") |
| 2503 | var_selinux_state="enforcing" | 2503 | var_selinux_state="enforcing" |
| 2504 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 2504 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 2505 | #·it·does·not·exist. | 2505 | #·it·does·not·exist. |
| Offset 2587, 35 lines modified | Offset 2587, 35 lines modified | ||
| 2587 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'CCE-27334-2'·'%s=%s' | 2587 | replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'CCE-27334-2'·'%s=%s' |
| 2588 | fixfiles·onboot | 2588 | fixfiles·onboot |
| 2589 | fixfiles·-f·relabel | 2589 | fixfiles·-f·relabel |
| 2590 | #·END·fix·for·'selinux_state' | 2590 | #·END·fix·for·'selinux_state' |
| 2591 | ############################################################################### | 2591 | ############################################################################### |
| 2592 | #·BEGIN·fix·(47·/·149)·for·' | 2592 | #·BEGIN·fix·(47·/·149)·for·'no_direct_root_logins' |
| 2593 | ############################################################################### | 2593 | ############################################################################### |
| 2594 | (>&2·echo·"Remediating·rule·47/149:·' | 2594 | (>&2·echo·"Remediating·rule·47/149:·'no_direct_root_logins'") |
| 2595 | sed·-i·'/ttyS/d'·/etc/securetty | ||
| 2596 | #·END·fix·for·'restrict_serial_port_logins' | ||
| 2597 | ############################################################################### | ||
| 2598 | #·BEGIN·fix·(48·/·149)·for·'no_direct_root_logins' | ||
| 2599 | ############################################################################### | ||
| 2600 | (>&2·echo·"Remediating·rule·48/149:·'no_direct_root_logins'") | ||
| 2601 | echo·>·/etc/securetty | 2595 | echo·>·/etc/securetty |
| 2602 | #·END·fix·for·'no_direct_root_logins' | 2596 | #·END·fix·for·'no_direct_root_logins' |
| 2603 | ############################################################################### | 2597 | ############################################################################### |
| 2604 | #·BEGIN·fix·(4 | 2598 | #·BEGIN·fix·(48·/·149)·for·'securetty_root_login_console_only' |
| 2605 | ############################################################################### | 2599 | ############################################################################### |
| 2606 | (>&2·echo·"Remediating·rule·4 | 2600 | (>&2·echo·"Remediating·rule·48/149:·'securetty_root_login_console_only'") |
| 2607 | sed·-i·'/^vc\//d'·/etc/securetty | 2601 | sed·-i·'/^vc\//d'·/etc/securetty |
| 2608 | #·END·fix·for·'securetty_root_login_console_only' | 2602 | #·END·fix·for·'securetty_root_login_console_only' |
| 2609 | ############################################################################### | 2603 | ############################################################################### |
| 2604 | #·BEGIN·fix·(49·/·149)·for·'restrict_serial_port_logins' | ||
| 2605 | ############################################################################### | ||
| 2606 | (>&2·echo·"Remediating·rule·49/149:·'restrict_serial_port_logins'") | ||
| 2607 | sed·-i·'/ttyS/d'·/etc/securetty | ||
| 2608 | #·END·fix·for·'restrict_serial_port_logins' | ||
| 2609 | ############################################################################### | ||
| 2610 | #·BEGIN·fix·(50·/·149)·for·'no_empty_passwords' | 2610 | #·BEGIN·fix·(50·/·149)·for·'no_empty_passwords' |
| 2611 | ############################################################################### | 2611 | ############################################################################### |
| 2612 | (>&2·echo·"Remediating·rule·50/149:·'no_empty_passwords'") | 2612 | (>&2·echo·"Remediating·rule·50/149:·'no_empty_passwords'") |
| 2613 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth | 2613 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth |
| 2614 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | 2614 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth |
| 2615 | #·END·fix·for·'no_empty_passwords' | 2615 | #·END·fix·for·'no_empty_passwords' |
| Max diff block lines reached; 121413/128266 bytes (94.66%) of diff not shown. | |||
| Offset 96, 48 lines modified | Offset 96, 48 lines modified | ||
| 96 | # | 96 | # |
| 97 | #·Stop·rlogin.socket·if·currently·running | 97 | #·Stop·rlogin.socket·if·currently·running |
| 98 | # | 98 | # |
| 99 | systemctl·stop·rlogin.socket | 99 | systemctl·stop·rlogin.socket |
| 100 | #·END·fix·for·'service_rlogin_disabled' | 100 | #·END·fix·for·'service_rlogin_disabled' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | #·BEGIN·fix·(3·/·358)·for·'service_r | 102 | #·BEGIN·fix·(3·/·358)·for·'service_rsh_disabled' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule·3/358:·'service_r | 104 | (>&2·echo·"Remediating·rule·3/358:·'service_rsh_disabled'") |
| 105 | grep·-qi·disable·/etc/xinetd.d/r | 105 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 106 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 106 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 107 | # | 107 | # |
| 108 | #·Disable·r | 108 | #·Disable·rsh.socket·for·all·systemd·targets |
| 109 | # | 109 | # |
| 110 | systemctl·disable·r | 110 | systemctl·disable·rsh.socket |
| 111 | # | 111 | # |
| 112 | #·Stop·r | 112 | #·Stop·rsh.socket·if·currently·running |
| 113 | # | 113 | # |
| 114 | systemctl·stop·r | 114 | systemctl·stop·rsh.socket |
| 115 | #·END·fix·for·'service_r | 115 | #·END·fix·for·'service_rsh_disabled' |
| 116 | ############################################################################### | 116 | ############################################################################### |
| 117 | #·BEGIN·fix·(4·/·358)·for·'service_r | 117 | #·BEGIN·fix·(4·/·358)·for·'service_rexec_disabled' |
| 118 | ############################################################################### | 118 | ############################################################################### |
| 119 | (>&2·echo·"Remediating·rule·4/358:·'service_r | 119 | (>&2·echo·"Remediating·rule·4/358:·'service_rexec_disabled'") |
| 120 | grep·-qi·disable·/etc/xinetd.d/r | 120 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 121 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 121 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 122 | # | 122 | # |
| 123 | #·Disable·r | 123 | #·Disable·rexec.socket·for·all·systemd·targets |
| 124 | # | 124 | # |
| 125 | systemctl·disable·r | 125 | systemctl·disable·rexec.socket |
| 126 | # | 126 | # |
| 127 | #·Stop·r | 127 | #·Stop·rexec.socket·if·currently·running |
| 128 | # | 128 | # |
| 129 | systemctl·stop·r | 129 | systemctl·stop·rexec.socket |
| 130 | #·END·fix·for·'service_r | 130 | #·END·fix·for·'service_rexec_disabled' |
| 131 | ############################################################################### | 131 | ############################################################################### |
| 132 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' | 132 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") | 134 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") |
| 135 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 135 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 136 | # | 136 | # |
| Offset 3080, 17 lines modified | Offset 3080, 113 lines modified | ||
| 3080 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' | 3080 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' |
| 3081 | ############################################################################### | 3081 | ############################################################################### |
| 3082 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") | 3082 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") |
| 3083 | #·FIX·FOR·THIS·RULE·IS·MISSING | 3083 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 3084 | #·END·fix·for·'rsyslog_nolisten' | 3084 | #·END·fix·for·'rsyslog_nolisten' |
| 3085 | ############################################################################### | 3085 | ############################################################################### |
| 3086 | #·BEGIN·fix·(59·/·358)·for·'s | 3086 | #·BEGIN·fix·(59·/·358)·for·'set_firewalld_default_zone' |
| 3087 | ############################################################################### | ||
| 3088 | (>&2·echo·"Remediating·rule·59/358:·'set_firewalld_default_zone'") | ||
| 3089 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 3090 | #·END·fix·for·'set_firewalld_default_zone' | ||
| 3091 | ############################################################################### | ||
| 3092 | #·BEGIN·fix·(60·/·358)·for·'service_firewalld_enabled' | ||
| 3093 | ############################################################################### | ||
| 3094 | (>&2·echo·"Remediating·rule·60/358:·'service_firewalld_enabled'") | ||
| 3095 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 3096 | # | ||
| 3097 | #·Example·Call(s): | ||
| 3098 | # | ||
| 3099 | #·····service_command·enable·bluetooth | ||
| 3100 | #·····service_command·disable·bluetooth.service | ||
| 3101 | # | ||
| 3102 | #·····Using·xinetd: | ||
| 3103 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 3104 | # | ||
| 3105 | function·service_command·{ | ||
| 3106 | #·Load·function·arguments·into·local·variables | ||
| 3107 | local·service_state=$1 | ||
| 3108 | local·service=$2 | ||
| 3109 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 3110 | #·Check·sanity·of·the·input | ||
| 3111 | if·[·$#·-lt·"2"·] | ||
| 3112 | then | ||
| 3113 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 3114 | ··echo | ||
| 3115 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 3116 | ··echo·"as·the·last·argument"·· | ||
| 3117 | ··echo·"Aborting." | ||
| 3118 | ··exit·1 | ||
| 3119 | fi | ||
| 3120 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 3121 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 3122 | ··service_util="/usr/bin/systemctl" | ||
| 3123 | else | ||
| 3124 | ··service_util="/sbin/service" | ||
| 3125 | ··chkconfig_util="/sbin/chkconfig" | ||
| 3126 | fi | ||
| 3127 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 3128 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 3129 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 3130 | ··service_state="enable" | ||
| 3131 | ··service_operation="start" | ||
| 3132 | ··chkconfig_state="on" | ||
| 3133 | else | ||
| 3134 | ··service_state="disable" | ||
| 3135 | ··service_operation="stop" | ||
| 3136 | ··chkconfig_state="off" | ||
| 3137 | fi | ||
| 3138 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 3139 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 3140 | ··$service_util·$service·$service_operation | ||
| 3141 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 3142 | else | ||
| 3143 | ··$service_util·$service_operation·$service | ||
| 3144 | ··$service_util·$service_state·$service | ||
| 3145 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 3146 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 3147 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 3148 | ··$service_util·reset-failed·$service | ||
| 3149 | fi | ||
| Max diff block lines reached; 244908/250997 bytes (97.57%) of diff not shown. | |||
| Offset 107, 48 lines modified | Offset 107, 48 lines modified | ||
| 107 | # | 107 | # |
| 108 | #·Stop·rlogin.socket·if·currently·running | 108 | #·Stop·rlogin.socket·if·currently·running |
| 109 | # | 109 | # |
| 110 | systemctl·stop·rlogin.socket | 110 | systemctl·stop·rlogin.socket |
| 111 | #·END·fix·for·'service_rlogin_disabled' | 111 | #·END·fix·for·'service_rlogin_disabled' |
| 112 | ############################################################################### | 112 | ############################################################################### |
| 113 | #·BEGIN·fix·(3·/·358)·for·'service_r | 113 | #·BEGIN·fix·(3·/·358)·for·'service_rsh_disabled' |
| 114 | ############################################################################### | 114 | ############################################################################### |
| 115 | (>&2·echo·"Remediating·rule·3/358:·'service_r | 115 | (>&2·echo·"Remediating·rule·3/358:·'service_rsh_disabled'") |
| 116 | grep·-qi·disable·/etc/xinetd.d/r | 116 | grep·-qi·disable·/etc/xinetd.d/rsh·&&·\ |
| 117 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 117 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rsh |
| 118 | # | 118 | # |
| 119 | #·Disable·r | 119 | #·Disable·rsh.socket·for·all·systemd·targets |
| 120 | # | 120 | # |
| 121 | systemctl·disable·r | 121 | systemctl·disable·rsh.socket |
| 122 | # | 122 | # |
| 123 | #·Stop·r | 123 | #·Stop·rsh.socket·if·currently·running |
| 124 | # | 124 | # |
| 125 | systemctl·stop·r | 125 | systemctl·stop·rsh.socket |
| 126 | #·END·fix·for·'service_r | 126 | #·END·fix·for·'service_rsh_disabled' |
| 127 | ############################################################################### | 127 | ############################################################################### |
| 128 | #·BEGIN·fix·(4·/·358)·for·'service_r | 128 | #·BEGIN·fix·(4·/·358)·for·'service_rexec_disabled' |
| 129 | ############################################################################### | 129 | ############################################################################### |
| 130 | (>&2·echo·"Remediating·rule·4/358:·'service_r | 130 | (>&2·echo·"Remediating·rule·4/358:·'service_rexec_disabled'") |
| 131 | grep·-qi·disable·/etc/xinetd.d/r | 131 | grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 132 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/r | 132 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 133 | # | 133 | # |
| 134 | #·Disable·r | 134 | #·Disable·rexec.socket·for·all·systemd·targets |
| 135 | # | 135 | # |
| 136 | systemctl·disable·r | 136 | systemctl·disable·rexec.socket |
| 137 | # | 137 | # |
| 138 | #·Stop·r | 138 | #·Stop·rexec.socket·if·currently·running |
| 139 | # | 139 | # |
| 140 | systemctl·stop·r | 140 | systemctl·stop·rexec.socket |
| 141 | #·END·fix·for·'service_r | 141 | #·END·fix·for·'service_rexec_disabled' |
| 142 | ############################################################################### | 142 | ############################################################################### |
| 143 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' | 143 | #·BEGIN·fix·(5·/·358)·for·'package_rsh-server_removed' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") | 145 | (>&2·echo·"Remediating·rule·5/358:·'package_rsh-server_removed'") |
| 146 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 146 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 147 | # | 147 | # |
| Offset 3091, 17 lines modified | Offset 3091, 113 lines modified | ||
| 3091 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' | 3091 | #·BEGIN·fix·(58·/·358)·for·'rsyslog_nolisten' |
| 3092 | ############################################################################### | 3092 | ############################################################################### |
| 3093 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") | 3093 | (>&2·echo·"Remediating·rule·58/358:·'rsyslog_nolisten'") |
| 3094 | #·FIX·FOR·THIS·RULE·IS·MISSING | 3094 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 3095 | #·END·fix·for·'rsyslog_nolisten' | 3095 | #·END·fix·for·'rsyslog_nolisten' |
| 3096 | ############################################################################### | 3096 | ############################################################################### |
| 3097 | #·BEGIN·fix·(59·/·358)·for·'s | 3097 | #·BEGIN·fix·(59·/·358)·for·'set_firewalld_default_zone' |
| 3098 | ############################################################################### | ||
| 3099 | (>&2·echo·"Remediating·rule·59/358:·'set_firewalld_default_zone'") | ||
| 3100 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 3101 | #·END·fix·for·'set_firewalld_default_zone' | ||
| 3102 | ############################################################################### | ||
| 3103 | #·BEGIN·fix·(60·/·358)·for·'service_firewalld_enabled' | ||
| 3104 | ############################################################################### | ||
| 3105 | (>&2·echo·"Remediating·rule·60/358:·'service_firewalld_enabled'") | ||
| 3106 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 3107 | # | ||
| 3108 | #·Example·Call(s): | ||
| 3109 | # | ||
| 3110 | #·····service_command·enable·bluetooth | ||
| 3111 | #·····service_command·disable·bluetooth.service | ||
| 3112 | # | ||
| 3113 | #·····Using·xinetd: | ||
| 3114 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 3115 | # | ||
| 3116 | function·service_command·{ | ||
| 3117 | #·Load·function·arguments·into·local·variables | ||
| 3118 | local·service_state=$1 | ||
| 3119 | local·service=$2 | ||
| 3120 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 3121 | #·Check·sanity·of·the·input | ||
| 3122 | if·[·$#·-lt·"2"·] | ||
| 3123 | then | ||
| 3124 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 3125 | ··echo | ||
| 3126 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 3127 | ··echo·"as·the·last·argument"·· | ||
| 3128 | ··echo·"Aborting." | ||
| 3129 | ··exit·1 | ||
| 3130 | fi | ||
| 3131 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 3132 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 3133 | ··service_util="/usr/bin/systemctl" | ||
| 3134 | else | ||
| 3135 | ··service_util="/sbin/service" | ||
| 3136 | ··chkconfig_util="/sbin/chkconfig" | ||
| 3137 | fi | ||
| 3138 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 3139 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 3140 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 3141 | ··service_state="enable" | ||
| 3142 | ··service_operation="start" | ||
| 3143 | ··chkconfig_state="on" | ||
| 3144 | else | ||
| 3145 | ··service_state="disable" | ||
| 3146 | ··service_operation="stop" | ||
| 3147 | ··chkconfig_state="off" | ||
| 3148 | fi | ||
| 3149 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 3150 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 3151 | ··$service_util·$service·$service_operation | ||
| 3152 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 3153 | else | ||
| 3154 | ··$service_util·$service_operation·$service | ||
| 3155 | ··$service_util·$service_state·$service | ||
| 3156 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 3157 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 3158 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 3159 | ··$service_util·reset-failed·$service | ||
| 3160 | fi | ||
| Max diff block lines reached; 244908/250999 bytes (97.57%) of diff not shown. | |||
| Offset 376, 31 lines modified | Offset 376, 38 lines modified | ||
| 376 | ··fi | 376 | ··fi |
| 377 | } | 377 | } |
| 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' | 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 379 | #·END·fix·for·'sshd_set_idle_timeout' | 379 | #·END·fix·for·'sshd_set_idle_timeout' |
| 380 | ############################################################################### | 380 | ############################################################################### |
| 381 | #·BEGIN·fix·(5·/·94)·for·' | 381 | #·BEGIN·fix·(5·/·94)·for·'ensure_logrotate_activated' |
| 382 | ############################################################################### | 382 | ############################################################################### |
| 383 | (>&2·echo·"Remediating·rule·5/94:·' | 383 | (>&2·echo·"Remediating·rule·5/94:·'ensure_logrotate_activated'") |
| 384 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 385 | #·END·fix·for·'rsyslog_files_groupownership' | ||
| 386 | 384 | LOGROTATE_CONF_FILE="/etc/logrotate.conf" | |
| 387 | 385 | CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" | |
| 388 | ############################################################################### | ||
| 389 | 386 | #·daily·rotation·is·configured | |
| 390 | 387 | grep·-q·"^daily$"·$LOGROTATE_CONF_FILE||·echo·"daily"·>>·$LOGROTATE_CONF_FILE | |
| 391 | #·END·fix·for·'rsyslog_files_ownership' | ||
| 388 | #·remove·any·line·configuring·weekly,·monthly·or·yearly·rotation | ||
| 389 | sed·-i·-r·"/^(weekly|monthly|yearly)$/d"·$LOGROTATE_CONF_FILE | ||
| 390 | #·configure·cron.daily·if·not·already | ||
| 391 | if·!·grep·-q·"^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$"·$CRON_DAILY_LOGROTATE_FILE;·then | ||
| 392 | » echo·"#!/bin/sh"·>·$CRON_DAILY_LOGROTATE_FILE | ||
| 393 | » echo·"/usr/sbin/logrotate·$LOGROTATE_CONF_FILE"·>>·$CRON_DAILY_LOGROTATE_FILE | ||
| 394 | fi | ||
| 395 | #·END·fix·for·'ensure_logrotate_activated' | ||
| 392 | ############################################################################### | 396 | ############################################################################### |
| 393 | #·BEGIN·fix·( | 397 | #·BEGIN·fix·(6·/·94)·for·'rsyslog_files_permissions' |
| 394 | ############################################################################### | 398 | ############################################################################### |
| 395 | (>&2·echo·"Remediating·rule· | 399 | (>&2·echo·"Remediating·rule·6/94:·'rsyslog_files_permissions'") |
| 396 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions | 400 | #·List·of·log·file·paths·to·be·inspected·for·correct·permissions |
| 397 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf | 401 | #·*·Primarily·inspect·log·file·paths·listed·in·/etc/rsyslog.conf |
| 398 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" | 402 | RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" |
| 399 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive | 403 | #·*·And·also·the·log·file·paths·listed·after·rsyslog's·$IncludeConfig·directive |
| 400 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) | 404 | #···(store·the·result·into·array·for·the·case·there's·shell·glob·used·as·value·of·IncludeConfig) |
| 401 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) | 405 | RSYSLOG_INCLUDE_CONFIG=($(grep·-e·"\$IncludeConfig[[:space:]]\+[^[:space:];]\+"·/etc/rsyslog.conf·|·cut·-d·'·'·-f·2)) |
| Offset 449, 33 lines modified | Offset 456, 26 lines modified | ||
| 449 | » then | 456 | » then |
| 450 | » » /bin/chmod·600·"$PATH" | 457 | » » /bin/chmod·600·"$PATH" |
| 451 | » fi | 458 | » fi |
| 452 | done | 459 | done |
| 453 | #·END·fix·for·'rsyslog_files_permissions' | 460 | #·END·fix·for·'rsyslog_files_permissions' |
| 454 | ############################################################################### | 461 | ############################################################################### |
| 455 | #·BEGIN·fix·( | 462 | #·BEGIN·fix·(7·/·94)·for·'rsyslog_files_ownership' |
| 456 | ############################################################################### | 463 | ############################################################################### |
| 457 | (>&2·echo·"Remediating·rule· | 464 | (>&2·echo·"Remediating·rule·7/94:·'rsyslog_files_ownership'") |
| 465 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 458 | 466 | #·END·fix·for·'rsyslog_files_ownership' | |
| 459 | CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" | ||
| 460 | #·daily·rotation·is·configured | ||
| 461 | grep·-q·"^daily$"·$LOGROTATE_CONF_FILE||·echo·"daily"·>>·$LOGROTATE_CONF_FILE | ||
| 462 | #·remove·any·line·configuring·weekly,·monthly·or·yearly·rotation | ||
| 463 | sed·-i·-r·"/^(weekly|monthly|yearly)$/d"·$LOGROTATE_CONF_FILE | ||
| 464 | # | 467 | ############################################################################### |
| 465 | 468 | #·BEGIN·fix·(8·/·94)·for·'rsyslog_files_groupownership' | |
| 466 | 469 | ############################################################################### | |
| 467 | 470 | (>&2·echo·"Remediating·rule·8/94:·'rsyslog_files_groupownership'") | |
| 468 | 471 | #·FIX·FOR·THIS·RULE·IS·MISSING | |
| 469 | #·END·fix·for·' | 472 | #·END·fix·for·'rsyslog_files_groupownership' |
| 470 | ############################################################################### | 473 | ############################################################################### |
| 471 | #·BEGIN·fix·(9·/·94)·for·'package_libreswan_installed' | 474 | #·BEGIN·fix·(9·/·94)·for·'package_libreswan_installed' |
| 472 | ############################################################################### | 475 | ############################################################################### |
| 473 | (>&2·echo·"Remediating·rule·9/94:·'package_libreswan_installed'") | 476 | (>&2·echo·"Remediating·rule·9/94:·'package_libreswan_installed'") |
| 474 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 477 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 475 | # | 478 | # |
| Offset 528, 24 lines modified | Offset 528, 46 lines modified | ||
| 528 | ··sed·-i·"s/PASS_MAX_DAYS.*/PASS_MAX_DAYS·····$var_accounts_maximum_age_login_defs/g"·/etc/login.defs | 528 | ··sed·-i·"s/PASS_MAX_DAYS.*/PASS_MAX_DAYS·····$var_accounts_maximum_age_login_defs/g"·/etc/login.defs |
| 529 | if·!·[·$?·-eq·0·];·then | 529 | if·!·[·$?·-eq·0·];·then |
| 530 | ····echo·"PASS_MAX_DAYS······$var_accounts_maximum_age_login_defs"·>>·/etc/login.defs | 530 | ····echo·"PASS_MAX_DAYS······$var_accounts_maximum_age_login_defs"·>>·/etc/login.defs |
| 531 | fi | 531 | fi |
| 532 | #·END·fix·for·'accounts_maximum_age_login_defs' | 532 | #·END·fix·for·'accounts_maximum_age_login_defs' |
| 533 | ############################################################################### | 533 | ############################################################################### |
| 534 | #·BEGIN·fix·(11·/·94)·for·' | 534 | #·BEGIN·fix·(11·/·94)·for·'no_empty_passwords' |
| 535 | ############################################################################### | 535 | ############################################################################### |
| 536 | (>&2·echo·"Remediating·rule·11/94:·' | 536 | (>&2·echo·"Remediating·rule·11/94:·'no_empty_passwords'") |
| 537 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth | ||
| 538 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | ||
| 539 | #·END·fix·for·'no_empty_passwords' | ||
| 540 | ############################################################################### | ||
| 541 | #·BEGIN·fix·(12·/·94)·for·'accounts_password_all_shadowed' | ||
| 542 | ############################################################################### | ||
| 543 | (>&2·echo·"Remediating·rule·12/94:·'accounts_password_all_shadowed'") | ||
| 544 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 545 | #·END·fix·for·'accounts_password_all_shadowed' | ||
| 546 | ############################################################################### | ||
| 547 | #·BEGIN·fix·(13·/·94)·for·'gid_passwd_group_same' | ||
| 548 | ############################################################################### | ||
| 549 | (>&2·echo·"Remediating·rule·13/94:·'gid_passwd_group_same'") | ||
| 550 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 551 | #·END·fix·for·'gid_passwd_group_same' | ||
| 552 | ############################################################################### | ||
| 553 | #·BEGIN·fix·(14·/·94)·for·'account_unique_name' | ||
| 554 | ############################################################################### | ||
| 555 | (>&2·echo·"Remediating·rule·14/94:·'account_unique_name'") | ||
| 537 | #·FIX·FOR·THIS·RULE·IS·MISSING | 556 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 538 | #·END·fix·for·'account_unique_name' | 557 | #·END·fix·for·'account_unique_name' |
| 539 | ############################################################################### | 558 | ############################################################################### |
| 540 | #·BEGIN·fix·(1 | 559 | #·BEGIN·fix·(15·/·94)·for·'account_disable_post_pw_expiration' |
| 541 | ############################################################################### | 560 | ############################################################################### |
| 542 | (>&2·echo·"Remediating·rule·1 | 561 | (>&2·echo·"Remediating·rule·15/94:·'account_disable_post_pw_expiration'") |
| 543 | var_account_disable_post_pw_expiration="90" | 562 | var_account_disable_post_pw_expiration="90" |
| 544 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 563 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 545 | #·it·does·not·exist. | 564 | #·it·does·not·exist. |
| 546 | # | 565 | # |
| 547 | #·Expects·arguments: | 566 | #·Expects·arguments: |
| 548 | # | 567 | # |
| Offset 622, 71 lines modified | Offset 644, 49 lines modified | ||
| 622 | ··fi | 644 | ··fi |
| 623 | } | 645 | } |
| 624 | replace_or_append·'/etc/default/useradd'·'^INACTIVE'·"$var_account_disable_post_pw_expiration"·'CCE-27355-7'·'%s=%s' | 646 | replace_or_append·'/etc/default/useradd'·'^INACTIVE'·"$var_account_disable_post_pw_expiration"·'CCE-27355-7'·'%s=%s' |
| 625 | #·END·fix·for·'account_disable_post_pw_expiration' | 647 | #·END·fix·for·'account_disable_post_pw_expiration' |
| Max diff block lines reached; 67060/74413 bytes (90.12%) of diff not shown. | |||
| Offset 1299, 26 lines modified | Offset 1299, 26 lines modified | ||
| 1299 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs | 1299 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs |
| 1300 | if·!·[·$?·-eq·0·];·then | 1300 | if·!·[·$?·-eq·0·];·then |
| 1301 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs | 1301 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs |
| 1302 | fi | 1302 | fi |
| 1303 | #·END·fix·for·'accounts_minimum_age_login_defs' | 1303 | #·END·fix·for·'accounts_minimum_age_login_defs' |
| 1304 | ############################################################################### | 1304 | ############################################################################### |
| 1305 | #·BEGIN·fix·(25·/·70)·for·' | 1305 | #·BEGIN·fix·(25·/·70)·for·'accounts_no_uid_except_zero' |
| 1306 | ############################################################################### | 1306 | ############################################################################### |
| 1307 | (>&2·echo·"Remediating·rule·25/70:·' | 1307 | (>&2·echo·"Remediating·rule·25/70:·'accounts_no_uid_except_zero'") |
| 1308 | 1308 | awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | |
| 1309 | #·END·fix·for·' | 1309 | #·END·fix·for·'accounts_no_uid_except_zero' |
| 1310 | ############################################################################### | 1310 | ############################################################################### |
| 1311 | #·BEGIN·fix·(26·/·70)·for·' | 1311 | #·BEGIN·fix·(26·/·70)·for·'no_shelllogin_for_systemaccounts' |
| 1312 | ############################################################################### | 1312 | ############################################################################### |
| 1313 | (>&2·echo·"Remediating·rule·26/70:·' | 1313 | (>&2·echo·"Remediating·rule·26/70:·'no_shelllogin_for_systemaccounts'") |
| 1314 | 1314 | #·FIX·FOR·THIS·RULE·IS·MISSING | |
| 1315 | #·END·fix·for·' | 1315 | #·END·fix·for·'no_shelllogin_for_systemaccounts' |
| 1316 | ############################################################################### | 1316 | ############################################################################### |
| 1317 | #·BEGIN·fix·(27·/·70)·for·'no_empty_passwords' | 1317 | #·BEGIN·fix·(27·/·70)·for·'no_empty_passwords' |
| 1318 | ############################################################################### | 1318 | ############################################################################### |
| 1319 | (>&2·echo·"Remediating·rule·27/70:·'no_empty_passwords'") | 1319 | (>&2·echo·"Remediating·rule·27/70:·'no_empty_passwords'") |
| 1320 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth | 1320 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/system-auth |
| 1321 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth | 1321 | sed·--follow-symlinks·-i·'s/\<nullok\>//g'·/etc/pam.d/password-auth |
| Offset 1340, 37 lines modified | Offset 1340, 37 lines modified | ||
| 1340 | else | 1340 | else |
| 1341 | » echo·""·>>·/etc/login.defs | 1341 | » echo·""·>>·/etc/login.defs |
| 1342 | » echo·"ENCRYPT_METHOD·SHA512"·>>·/etc/login.defs | 1342 | » echo·"ENCRYPT_METHOD·SHA512"·>>·/etc/login.defs |
| 1343 | fi | 1343 | fi |
| 1344 | #·END·fix·for·'set_password_hashing_algorithm_logindefs' | 1344 | #·END·fix·for·'set_password_hashing_algorithm_logindefs' |
| 1345 | ############################################################################### | 1345 | ############################################################################### |
| 1346 | #·BEGIN·fix·(30·/·70)·for·'set_password_hashing_algorithm_ | 1346 | #·BEGIN·fix·(30·/·70)·for·'set_password_hashing_algorithm_systemauth' |
| 1347 | ############################################################################### | 1347 | ############################################################################### |
| 1348 | (>&2·echo·"Remediating·rule·30/70:·'set_password_hashing_algorithm_ | 1348 | (>&2·echo·"Remediating·rule·30/70:·'set_password_hashing_algorithm_systemauth'") |
| 1349 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 1350 | #·END·fix·for·'set_password_hashing_algorithm_libuserconf' | ||
| 1351 | ############################################################################### | ||
| 1352 | #·BEGIN·fix·(31·/·70)·for·'set_password_hashing_algorithm_systemauth' | ||
| 1353 | ############################################################################### | ||
| 1354 | (>&2·echo·"Remediating·rule·31/70:·'set_password_hashing_algorithm_systemauth'") | ||
| 1355 | AUTH_FILES[0]="/etc/pam.d/system-auth" | 1349 | AUTH_FILES[0]="/etc/pam.d/system-auth" |
| 1356 | AUTH_FILES[1]="/etc/pam.d/password-auth" | 1350 | AUTH_FILES[1]="/etc/pam.d/password-auth" |
| 1357 | for·pamFile·in·"${AUTH_FILES[@]}" | 1351 | for·pamFile·in·"${AUTH_FILES[@]}" |
| 1358 | do | 1352 | do |
| 1359 | » if·!·grep·-q·"^password.*sufficient.*pam_unix.so.*sha512"·$pamFile;·then | 1353 | » if·!·grep·-q·"^password.*sufficient.*pam_unix.so.*sha512"·$pamFile;·then |
| 1360 | » » sed·-i·--follow-symlinks·"/^password.*sufficient.*pam_unix.so/·s/$/·sha512/"·$pamFile | 1354 | » » sed·-i·--follow-symlinks·"/^password.*sufficient.*pam_unix.so/·s/$/·sha512/"·$pamFile |
| 1361 | » fi | 1355 | » fi |
| 1362 | done | 1356 | done |
| 1363 | #·END·fix·for·'set_password_hashing_algorithm_systemauth' | 1357 | #·END·fix·for·'set_password_hashing_algorithm_systemauth' |
| 1364 | ############################################################################### | 1358 | ############################################################################### |
| 1359 | #·BEGIN·fix·(31·/·70)·for·'set_password_hashing_algorithm_libuserconf' | ||
| 1360 | ############################################################################### | ||
| 1361 | (>&2·echo·"Remediating·rule·31/70:·'set_password_hashing_algorithm_libuserconf'") | ||
| 1362 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 1363 | #·END·fix·for·'set_password_hashing_algorithm_libuserconf' | ||
| 1364 | ############################################################################### | ||
| 1365 | #·BEGIN·fix·(32·/·70)·for·'accounts_password_pam_unix_remember' | 1365 | #·BEGIN·fix·(32·/·70)·for·'accounts_password_pam_unix_remember' |
| 1366 | ############################################################################### | 1366 | ############################################################################### |
| 1367 | (>&2·echo·"Remediating·rule·32/70:·'accounts_password_pam_unix_remember'") | 1367 | (>&2·echo·"Remediating·rule·32/70:·'accounts_password_pam_unix_remember'") |
| 1368 | var_password_pam_unix_remember="5" | 1368 | var_password_pam_unix_remember="5" |
| 1369 | AUTH_FILES[0]="/etc/pam.d/system-auth" | 1369 | AUTH_FILES[0]="/etc/pam.d/system-auth" |
| Offset 1946, 51 lines modified | Offset 1946, 52 lines modified | ||
| 1946 | grep·-q·"^ExecStart=\-.*/sbin/sulogin"·/usr/lib/systemd/system/rescue.service | 1946 | grep·-q·"^ExecStart=\-.*/sbin/sulogin"·/usr/lib/systemd/system/rescue.service |
| 1947 | if·!·[·$?·-eq·0·];·then | 1947 | if·!·[·$?·-eq·0·];·then |
| 1948 | ····sed·-i·"s/ExecStart=-.*-c·\"/&\/sbin\/sulogin;·/g"·/usr/lib/systemd/system/rescue.service | 1948 | ····sed·-i·"s/ExecStart=-.*-c·\"/&\/sbin\/sulogin;·/g"·/usr/lib/systemd/system/rescue.service |
| 1949 | fi | 1949 | fi |
| 1950 | #·END·fix·for·'require_singleuser_auth' | 1950 | #·END·fix·for·'require_singleuser_auth' |
| 1951 | ############################################################################### | 1951 | ############################################################################### |
| 1952 | #·BEGIN·fix·(45·/·70)·for·' | 1952 | #·BEGIN·fix·(45·/·70)·for·'file_permissions_etc_shadow' |
| 1953 | ############################################################################### | ||
| 1954 | (>&2·echo·"Remediating·rule·45/70:·'userowner_shadow_file'") | ||
| 1955 | chown·root·/etc/shadow | ||
| 1956 | #·END·fix·for·'userowner_shadow_file' | ||
| 1957 | ############################################################################### | 1953 | ############################################################################### |
| 1958 | 1954 | (>&2·echo·"Remediating·rule·45/70:·'file_permissions_etc_shadow'") | |
| 1959 | ############################################################################### | ||
| 1960 | (>&2·echo·"Remediating·rule·46/70:·'file_permissions_etc_shadow'") | ||
| 1961 | chmod·0000·/etc/shadow | 1955 | chmod·0000·/etc/shadow |
| 1962 | #·END·fix·for·'file_permissions_etc_shadow' | 1956 | #·END·fix·for·'file_permissions_etc_shadow' |
| 1963 | ############################################################################### | 1957 | ############################################################################### |
| 1964 | #·BEGIN·fix·(4 | 1958 | #·BEGIN·fix·(46·/·70)·for·'groupowner_shadow_file' |
| 1965 | ############################################################################### | 1959 | ############################################################################### |
| 1966 | (>&2·echo·"Remediating·rule·4 | 1960 | (>&2·echo·"Remediating·rule·46/70:·'groupowner_shadow_file'") |
| 1967 | chgrp·root·/etc/shadow | 1961 | chgrp·root·/etc/shadow |
| 1968 | #·END·fix·for·'groupowner_shadow_file' | 1962 | #·END·fix·for·'groupowner_shadow_file' |
| 1969 | ############################################################################### | 1963 | ############################################################################### |
| 1970 | #·BEGIN·fix·(4 | 1964 | #·BEGIN·fix·(47·/·70)·for·'file_owner_etc_group' |
| 1971 | ############################################################################### | 1965 | ############################################################################### |
| 1972 | (>&2·echo·"Remediating·rule·4 | 1966 | (>&2·echo·"Remediating·rule·47/70:·'file_owner_etc_group'") |
| 1973 | chown·root·/etc/group | 1967 | chown·root·/etc/group |
| 1974 | #·END·fix·for·'file_owner_etc_group' | 1968 | #·END·fix·for·'file_owner_etc_group' |
| 1975 | ############################################################################### | 1969 | ############################################################################### |
| 1976 | #·BEGIN·fix·(4 | 1970 | #·BEGIN·fix·(48·/·70)·for·'file_permissions_etc_group' |
| 1977 | ############################################################################### | 1971 | ############################################################################### |
| 1978 | (>&2·echo·"Remediating·rule·4 | 1972 | (>&2·echo·"Remediating·rule·48/70:·'file_permissions_etc_group'") |
| 1979 | chmod·0644·/etc/group | 1973 | chmod·0644·/etc/group |
| 1980 | #·END·fix·for·'file_permissions_etc_group' | 1974 | #·END·fix·for·'file_permissions_etc_group' |
| 1981 | ############################################################################### | 1975 | ############################################################################### |
| 1976 | #·BEGIN·fix·(49·/·70)·for·'file_groupowner_etc_passwd' | ||
| 1977 | ############################################################################### | ||
| 1978 | (>&2·echo·"Remediating·rule·49/70:·'file_groupowner_etc_passwd'") | ||
| 1979 | chgrp·root·/etc/passwd | ||
| 1980 | #·END·fix·for·'file_groupowner_etc_passwd' | ||
| 1981 | ############################################################################### | ||
| 1982 | #·BEGIN·fix·(50·/·70)·for·'file_groupowner_etc_gshadow' | 1982 | #·BEGIN·fix·(50·/·70)·for·'file_groupowner_etc_gshadow' |
| 1983 | ############################################################################### | 1983 | ############################################################################### |
| 1984 | (>&2·echo·"Remediating·rule·50/70:·'file_groupowner_etc_gshadow'") | 1984 | (>&2·echo·"Remediating·rule·50/70:·'file_groupowner_etc_gshadow'") |
| Max diff block lines reached; 1167/8456 bytes (13.80%) of diff not shown. | |||
| Offset 681, 99 lines modified | Offset 681, 17 lines modified | ||
| 681 | #·BEGIN·fix·(14·/·51)·for·'dir_perms_world_writable_sticky_bits' | 681 | #·BEGIN·fix·(14·/·51)·for·'dir_perms_world_writable_sticky_bits' |
| 682 | ############################################################################### | 682 | ############################################################################### |
| 683 | (>&2·echo·"Remediating·rule·14/51:·'dir_perms_world_writable_sticky_bits'") | 683 | (>&2·echo·"Remediating·rule·14/51:·'dir_perms_world_writable_sticky_bits'") |
| 684 | #·FIX·FOR·THIS·RULE·IS·MISSING | 684 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 685 | #·END·fix·for·'dir_perms_world_writable_sticky_bits' | 685 | #·END·fix·for·'dir_perms_world_writable_sticky_bits' |
| 686 | ############################################################################### | 686 | ############################################################################### |
| 687 | #·BEGIN·fix·(15·/·51)·for·' | 687 | #·BEGIN·fix·(15·/·51)·for·'mount_option_dev_shm_nosuid' |
| 688 | ############################################################################### | 688 | ############################################################################### |
| 689 | (>&2·echo·"Remediating·rule·15/51:·' | 689 | (>&2·echo·"Remediating·rule·15/51:·'mount_option_dev_shm_nosuid'") |
| 690 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 691 | # | ||
| 692 | #·Example·Call(s): | ||
| 693 | # | ||
| 694 | #·····service_command·enable·bluetooth | ||
| 695 | #·····service_command·disable·bluetooth.service | ||
| 696 | # | ||
| 697 | #·····Using·xinetd: | ||
| 698 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 699 | # | ||
| 700 | function·service_command·{ | ||
| 701 | #·Load·function·arguments·into·local·variables | ||
| 702 | local·service_state=$1 | ||
| 703 | local·service=$2 | ||
| 704 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 705 | #·Check·sanity·of·the·input | ||
| 706 | if·[·$#·-lt·"2"·] | ||
| 707 | then | ||
| 708 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 709 | ··echo | ||
| 710 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 711 | ··echo·"as·the·last·argument"·· | ||
| 712 | ··echo·"Aborting." | ||
| 713 | ··exit·1 | ||
| 714 | fi | ||
| 715 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 716 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 717 | ··service_util="/usr/bin/systemctl" | ||
| 718 | else | ||
| 719 | ··service_util="/sbin/service" | ||
| 720 | ··chkconfig_util="/sbin/chkconfig" | ||
| 721 | fi | ||
| 722 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 723 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 724 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 725 | ··service_state="enable" | ||
| 726 | ··service_operation="start" | ||
| 727 | ··chkconfig_state="on" | ||
| 728 | else | ||
| 729 | ··service_state="disable" | ||
| 730 | ··service_operation="stop" | ||
| 731 | ··chkconfig_state="off" | ||
| 732 | fi | ||
| 733 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 734 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 735 | ··$service_util·$service·$service_operation | ||
| 736 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 737 | else | ||
| 738 | ··$service_util·$service_operation·$service | ||
| 739 | ··$service_util·$service_state·$service | ||
| 740 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 741 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 742 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 743 | ··$service_util·reset-failed·$service | ||
| 744 | fi | ||
| 745 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 746 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 747 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 748 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 749 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 750 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 751 | ··else | ||
| 752 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 753 | ··fi | ||
| 754 | fi | ||
| 755 | } | ||
| 756 | service_command·disable·autofs | ||
| 757 | #·END·fix·for·'service_autofs_disabled' | ||
| 758 | ############################################################################### | ||
| 759 | #·BEGIN·fix·(16·/·51)·for·'mount_option_dev_shm_nosuid' | ||
| 760 | ############################################################################### | ||
| 761 | (>&2·echo·"Remediating·rule·16/51:·'mount_option_dev_shm_nosuid'") | ||
| 762 | function·include_mount_options_functions·{ | 690 | function·include_mount_options_functions·{ |
| 763 | » : | 691 | » : |
| 764 | } | 692 | } |
| 765 | #·$1:·mount·point | 693 | #·$1:·mount·point |
| 766 | #·$2:·new·mount·point·option | 694 | #·$2:·new·mount·point·option |
| 767 | function·ensure_mount_option_in_fstab·{ | 695 | function·ensure_mount_option_in_fstab·{ |
| Offset 828, 17 lines modified | Offset 746, 17 lines modified | ||
| 828 | ensure_mount_option_in_fstab·"/dev/shm"·"nosuid" | 746 | ensure_mount_option_in_fstab·"/dev/shm"·"nosuid" |
| 829 | ensure_partition_is_mounted·"/dev/shm" | 747 | ensure_partition_is_mounted·"/dev/shm" |
| 830 | #·END·fix·for·'mount_option_dev_shm_nosuid' | 748 | #·END·fix·for·'mount_option_dev_shm_nosuid' |
| 831 | ############################################################################### | 749 | ############################################################################### |
| 832 | #·BEGIN·fix·(1 | 750 | #·BEGIN·fix·(16·/·51)·for·'mount_option_dev_shm_nodev' |
| 833 | ############################################################################### | 751 | ############################################################################### |
| 834 | (>&2·echo·"Remediating·rule·1 | 752 | (>&2·echo·"Remediating·rule·16/51:·'mount_option_dev_shm_nodev'") |
| 835 | function·include_mount_options_functions·{ | 753 | function·include_mount_options_functions·{ |
| 836 | » : | 754 | » : |
| 837 | } | 755 | } |
| 838 | #·$1:·mount·point | 756 | #·$1:·mount·point |
| 839 | #·$2:·new·mount·point·option | 757 | #·$2:·new·mount·point·option |
| 840 | function·ensure_mount_option_in_fstab·{ | 758 | function·ensure_mount_option_in_fstab·{ |
| Offset 893, 14 lines modified | Offset 811, 96 lines modified | ||
| 893 | ensure_mount_option_in_fstab·"/dev/shm"·"nodev" | 811 | ensure_mount_option_in_fstab·"/dev/shm"·"nodev" |
| 894 | ensure_partition_is_mounted·"/dev/shm" | 812 | ensure_partition_is_mounted·"/dev/shm" |
| 895 | #·END·fix·for·'mount_option_dev_shm_nodev' | 813 | #·END·fix·for·'mount_option_dev_shm_nodev' |
| 896 | ############################################################################### | 814 | ############################################################################### |
| 815 | #·BEGIN·fix·(17·/·51)·for·'service_autofs_disabled' | ||
| 816 | ############################################################################### | ||
| Max diff block lines reached; 48602/55764 bytes (87.16%) of diff not shown. | |||
| Offset 28, 42 lines modified | Offset 28, 42 lines modified | ||
| 28 | # | 28 | # |
| 29 | #·How·to·apply·this·remediation·role: | 29 | #·How·to·apply·this·remediation·role: |
| 30 | #·$·sudo·./remediation-role.sh | 30 | #·$·sudo·./remediation-role.sh |
| 31 | # | 31 | # |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | ############################################################################### | 33 | ############################################################################### |
| 34 | #·BEGIN·fix·(1·/·243)·for·'no_host_based_files' | 34 | #·BEGIN·fix·(1·/·243)·for·'no_user_host_based_files' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | (>&2·echo·"Remediating·rule·1/243:·'no_host_based_files'") | 36 | (>&2·echo·"Remediating·rule·1/243:·'no_user_host_based_files'") |
| 37 | #·Identify·local·mounts | 37 | #·Identify·local·mounts |
| 38 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 38 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 39 | #·Find·file·on·each·listed·mount·point | 39 | #·Find·file·on·each·listed·mount·point |
| 40 | for·cur_mount·in·${MOUNT_LIST} | 40 | for·cur_mount·in·${MOUNT_LIST} |
| 41 | do | 41 | do |
| 42 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts | 42 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; |
| 43 | done | 43 | done |
| 44 | #·END·fix·for·'no_host_based_files' | 44 | #·END·fix·for·'no_user_host_based_files' |
| 45 | ############################################################################### | 45 | ############################################################################### |
| 46 | #·BEGIN·fix·(2·/·243)·for·'no_ | 46 | #·BEGIN·fix·(2·/·243)·for·'no_host_based_files' |
| 47 | ############################################################################### | 47 | ############################################################################### |
| 48 | (>&2·echo·"Remediating·rule·2/243:·'no_ | 48 | (>&2·echo·"Remediating·rule·2/243:·'no_host_based_files'") |
| 49 | #·Identify·local·mounts | 49 | #·Identify·local·mounts |
| 50 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 50 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 51 | #·Find·file·on·each·listed·mount·point | 51 | #·Find·file·on·each·listed·mount·point |
| 52 | for·cur_mount·in·${MOUNT_LIST} | 52 | for·cur_mount·in·${MOUNT_LIST} |
| 53 | do | 53 | do |
| 54 | » find·${cur_mount}·-xdev·-type·f·-name·" | 54 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; |
| 55 | done | 55 | done |
| 56 | #·END·fix·for·'no_ | 56 | #·END·fix·for·'no_host_based_files' |
| 57 | ############################################################################### | 57 | ############################################################################### |
| 58 | #·BEGIN·fix·(3·/·243)·for·'package_rsh-server_removed' | 58 | #·BEGIN·fix·(3·/·243)·for·'package_rsh-server_removed' |
| 59 | ############################################################################### | 59 | ############################################################################### |
| 60 | (>&2·echo·"Remediating·rule·3/243:·'package_rsh-server_removed'") | 60 | (>&2·echo·"Remediating·rule·3/243:·'package_rsh-server_removed'") |
| 61 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 61 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 62 | # | 62 | # |
| Offset 190, 24 lines modified | Offset 190, 17 lines modified | ||
| 190 | } | 190 | } |
| 191 | package_remove·ypserv | 191 | package_remove·ypserv |
| 192 | #·END·fix·for·'package_ypserv_removed' | 192 | #·END·fix·for·'package_ypserv_removed' |
| 193 | ############################################################################### | 193 | ############################################################################### |
| 194 | #·BEGIN·fix·(6·/·243)·for·'tftp | 194 | #·BEGIN·fix·(6·/·243)·for·'package_tftp-server_removed' |
| 195 | ############################################################################### | 195 | ############################################################################### |
| 196 | (>&2·echo·"Remediating·rule·6/243:·'tftp | 196 | (>&2·echo·"Remediating·rule·6/243:·'package_tftp-server_removed'") |
| 197 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 198 | #·END·fix·for·'tftpd_uses_secure_mode' | ||
| 199 | ############################################################################### | ||
| 200 | #·BEGIN·fix·(7·/·243)·for·'package_tftp-server_removed' | ||
| 201 | ############################################################################### | ||
| 202 | (>&2·echo·"Remediating·rule·7/243:·'package_tftp-server_removed'") | ||
| 203 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 197 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 204 | # | 198 | # |
| 205 | #·Example·Call(s): | 199 | #·Example·Call(s): |
| 206 | # | 200 | # |
| 207 | #·····package_remove·telnet-server | 201 | #·····package_remove·telnet-server |
| 208 | # | 202 | # |
| 209 | function·package_remove·{ | 203 | function·package_remove·{ |
| Offset 241, 14 lines modified | Offset 234, 21 lines modified | ||
| 241 | } | 234 | } |
| 242 | package_remove·tftp-server | 235 | package_remove·tftp-server |
| 243 | #·END·fix·for·'package_tftp-server_removed' | 236 | #·END·fix·for·'package_tftp-server_removed' |
| 244 | ############################################################################### | 237 | ############################################################################### |
| 238 | #·BEGIN·fix·(7·/·243)·for·'tftpd_uses_secure_mode' | ||
| 239 | ############################################################################### | ||
| 240 | (>&2·echo·"Remediating·rule·7/243:·'tftpd_uses_secure_mode'") | ||
| 241 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 242 | #·END·fix·for·'tftpd_uses_secure_mode' | ||
| 243 | ############################################################################### | ||
| 245 | #·BEGIN·fix·(8·/·243)·for·'package_vsftpd_removed' | 244 | #·BEGIN·fix·(8·/·243)·for·'package_vsftpd_removed' |
| 246 | ############################################################################### | 245 | ############################################################################### |
| 247 | (>&2·echo·"Remediating·rule·8/243:·'package_vsftpd_removed'") | 246 | (>&2·echo·"Remediating·rule·8/243:·'package_vsftpd_removed'") |
| 248 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 247 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 249 | # | 248 | # |
| 250 | #·Example·Call(s): | 249 | #·Example·Call(s): |
| 251 | # | 250 | # |
| Offset 475, 26 lines modified | Offset 475, 26 lines modified | ||
| 475 | » echo·"smtpd_client_restrictions·=·permit_mynetworks,reject"·>>·/etc/postfix/main.cf | 475 | » echo·"smtpd_client_restrictions·=·permit_mynetworks,reject"·>>·/etc/postfix/main.cf |
| 476 | else | 476 | else |
| 477 | » sed·-i·"s/^smtpd_client_restrictions.*/smtpd_client_restrictions·=·permit_mynetworks,reject/g"·/etc/postfix/main.cf | 477 | » sed·-i·"s/^smtpd_client_restrictions.*/smtpd_client_restrictions·=·permit_mynetworks,reject/g"·/etc/postfix/main.cf |
| 478 | fi | 478 | fi |
| 479 | #·END·fix·for·'postfix_prevent_unrestricted_relay' | 479 | #·END·fix·for·'postfix_prevent_unrestricted_relay' |
| 480 | ############################################################################### | 480 | ############################################################################### |
| 481 | #·BEGIN·fix·(20·/·243)·for·'mount_option_ | 481 | #·BEGIN·fix·(20·/·243)·for·'mount_option_noexec_remote_filesystems' |
| 482 | ############################################################################### | 482 | ############################################################################### |
| 483 | (>&2·echo·"Remediating·rule·20/243:·'mount_option_ | 483 | (>&2·echo·"Remediating·rule·20/243:·'mount_option_noexec_remote_filesystems'") |
| 484 | #·FIX·FOR·THIS·RULE·IS·MISSING | 484 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 485 | #·END·fix·for·'mount_option_ | 485 | #·END·fix·for·'mount_option_noexec_remote_filesystems' |
| 486 | ############################################################################### | 486 | ############################################################################### |
| 487 | #·BEGIN·fix·(21·/·243)·for·'mount_option_ | 487 | #·BEGIN·fix·(21·/·243)·for·'mount_option_krb_sec_remote_filesystems' |
| 488 | ############################################################################### | 488 | ############################################################################### |
| 489 | (>&2·echo·"Remediating·rule·21/243:·'mount_option_ | 489 | (>&2·echo·"Remediating·rule·21/243:·'mount_option_krb_sec_remote_filesystems'") |
| 490 | #·FIX·FOR·THIS·RULE·IS·MISSING | 490 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 491 | #·END·fix·for·'mount_option_ | 491 | #·END·fix·for·'mount_option_krb_sec_remote_filesystems' |
| 492 | ############################################################################### | 492 | ############################################################################### |
| 493 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' | 493 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' |
| 494 | ############################################################################### | 494 | ############################################################################### |
| 495 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") | 495 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") |
| 496 | #·FIX·FOR·THIS·RULE·IS·MISSING | 496 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 497 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' | 497 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' |
| Offset 2270, 128 lines modified | Offset 2270, 24 lines modified | ||
| 2270 | #·BEGIN·fix·(49·/·243)·for·'rsyslog_nolisten' | 2270 | #·BEGIN·fix·(49·/·243)·for·'rsyslog_nolisten' |
| 2271 | ############################################################################### | 2271 | ############################################################################### |
| 2272 | (>&2·echo·"Remediating·rule·49/243:·'rsyslog_nolisten'") | 2272 | (>&2·echo·"Remediating·rule·49/243:·'rsyslog_nolisten'") |
| 2273 | #·FIX·FOR·THIS·RULE·IS·MISSING | 2273 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 2274 | #·END·fix·for·'rsyslog_nolisten' | 2274 | #·END·fix·for·'rsyslog_nolisten' |
| 2275 | ############################################################################### | 2275 | ############################################################################### |
| 2276 | #·BEGIN·fix·(50·/·243)·for·'s | 2276 | #·BEGIN·fix·(50·/·243)·for·'set_firewalld_default_zone' |
| 2277 | ############################################################################### | ||
| 2278 | (>&2·echo·"Remediating·rule·50/243:·'sysctl_net_ipv6_conf_all_accept_source_route'") | ||
| Max diff block lines reached; 153301/163979 bytes (93.49%) of diff not shown. | |||
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> | 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> |
| 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> | 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> |
| 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> | 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> |
| 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> | 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> |
| 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> | 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> |
| 31 | ····</ns0:checks> | 31 | ····</ns0:checks> |
| 32 | ··</ns0:data-stream> | 32 | ··</ns0:data-stream> |
| 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="202 | 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-04-28T11:48:20"> |
| 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns3:generator> | 35 | ······<ns3:generator> |
| 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> | 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> |
| 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> | 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> |
| 38 | ········<ns5:schema_version>5.11</ns5:schema_version> | 38 | ········<ns5:schema_version>5.11</ns5:schema_version> |
| 39 | ········<ns5:timestamp>202 | 39 | ········<ns5:timestamp>2020-04-27T21:33:55</ns5:timestamp> |
| 40 | ······</ns3:generator> | 40 | ······</ns3:generator> |
| 41 | ······<ns3:definitions> | 41 | ······<ns3:definitions> |
| 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> | 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> |
| 43 | ··········<ns3:metadata> | 43 | ··········<ns3:metadata> |
| 44 | ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title> | 44 | ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title> |
| 45 | ············<ns3:affected·family="unix"> | 45 | ············<ns3:affected·family="unix"> |
| 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform> | 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform> |
| Offset 27893, 35 lines modified | Offset 27893, 35 lines modified | ||
| 27893 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 27893 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 27894 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 27894 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 27895 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 27895 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 27896 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 27896 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 27897 | ······</ns3:variables> | 27897 | ······</ns3:variables> |
| 27898 | ····</ns3:oval_definitions> | 27898 | ····</ns3:oval_definitions> |
| 27899 | ··</ns0:component> | 27899 | ··</ns0:component> |
| 27900 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="202 | 27900 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-04-28T11:48:20"> |
| 27901 | ····<ns9:ocil> | 27901 | ····<ns9:ocil> |
| 27902 | ······<ns9:generator> | 27902 | ······<ns9:generator> |
| 27903 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> | 27903 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> |
| 27904 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> | 27904 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> |
| 27905 | ········<ns9:schema_version>2.0</ns9:schema_version> | 27905 | ········<ns9:schema_version>2.0</ns9:schema_version> |
| 27906 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> | 27906 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> |
| 27907 | ······</ns9:generator> | 27907 | ······</ns9:generator> |
| 27908 | ······<ns9:questionnaires> | 27908 | ······<ns9:questionnaires> |
| 27909 | ········<ns9:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> | ||
| 27910 | ··········<ns9:title>Enable·Logging·of·All·FTP·Transactions</ns9:title> | ||
| 27911 | ··········<ns9:actions> | ||
| 27912 | ············<ns9:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns9:test_action_ref> | ||
| 27913 | ··········</ns9:actions> | ||
| 27914 | ········</ns9:questionnaire> | ||
| 27915 | ········<ns9:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> | 27909 | ········<ns9:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> |
| 27916 | ··········<ns9:title>Create·Warning·Banners·for·All·FTP·Users</ns9:title> | 27910 | ··········<ns9:title>Create·Warning·Banners·for·All·FTP·Users</ns9:title> |
| 27917 | ··········<ns9:actions> | 27911 | ··········<ns9:actions> |
| 27918 | ············<ns9:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns9:test_action_ref> | 27912 | ············<ns9:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns9:test_action_ref> |
| 27919 | ··········</ns9:actions> | 27913 | ··········</ns9:actions> |
| 27920 | ········</ns9:questionnaire> | 27914 | ········</ns9:questionnaire> |
| 27915 | ········<ns9:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> | ||
| 27916 | ··········<ns9:title>Enable·Logging·of·All·FTP·Transactions</ns9:title> | ||
| 27917 | ··········<ns9:actions> | ||
| 27918 | ············<ns9:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns9:test_action_ref> | ||
| 27919 | ··········</ns9:actions> | ||
| 27920 | ········</ns9:questionnaire> | ||
| 27921 | ········<ns9:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> | 27921 | ········<ns9:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> |
| 27922 | ··········<ns9:title>Disable·vsftpd·Service</ns9:title> | 27922 | ··········<ns9:title>Disable·vsftpd·Service</ns9:title> |
| 27923 | ··········<ns9:actions> | 27923 | ··········<ns9:actions> |
| 27924 | ············<ns9:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns9:test_action_ref> | 27924 | ············<ns9:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns9:test_action_ref> |
| 27925 | ··········</ns9:actions> | 27925 | ··········</ns9:actions> |
| 27926 | ········</ns9:questionnaire> | 27926 | ········</ns9:questionnaire> |
| 27927 | ········<ns9:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> | 27927 | ········<ns9:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> |
| Offset 27968, 32 lines modified | Offset 27968, 14 lines modified | ||
| 27968 | ········</ns9:questionnaire> | 27968 | ········</ns9:questionnaire> |
| 27969 | ········<ns9:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1"> | 27969 | ········<ns9:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1"> |
| 27970 | ··········<ns9:title>Enable·the·SSSD·Service</ns9:title> | 27970 | ··········<ns9:title>Enable·the·SSSD·Service</ns9:title> |
| 27971 | ··········<ns9:actions> | 27971 | ··········<ns9:actions> |
| 27972 | ············<ns9:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns9:test_action_ref> | 27972 | ············<ns9:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns9:test_action_ref> |
| 27973 | ··········</ns9:actions> | 27973 | ··········</ns9:actions> |
| 27974 | ········</ns9:questionnaire> | 27974 | ········</ns9:questionnaire> |
| 27975 | ········<ns9:questionnaire·id="ocil:ssg-sysconfig_networking_bootproto_ifcfg_ocil:questionnaire:1"> | ||
| 27976 | ··········<ns9:title>Disable·DHCP·Client</ns9:title> | ||
| 27977 | ··········<ns9:actions> | ||
| 27978 | ············<ns9:test_action_ref>ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1</ns9:test_action_ref> | ||
| 27979 | ··········</ns9:actions> | ||
| 27980 | ········</ns9:questionnaire> | ||
| 27981 | ········<ns9:questionnaire·id="ocil:ssg-package_dhcp_removed_ocil:questionnaire:1"> | ||
| 27982 | ··········<ns9:title>Uninstall·DHCP·Server·Package</ns9:title> | ||
| 27983 | ··········<ns9:actions> | ||
| 27984 | ············<ns9:test_action_ref>ocil:ssg-package_dhcp_removed_action:testaction:1</ns9:test_action_ref> | ||
| 27985 | ··········</ns9:actions> | ||
| 27986 | ········</ns9:questionnaire> | ||
| 27987 | ········<ns9:questionnaire·id="ocil:ssg-service_dhcpd_disabled_ocil:questionnaire:1"> | ||
| 27988 | ··········<ns9:title>Disable·DHCP·Service</ns9:title> | ||
| 27989 | ··········<ns9:actions> | ||
| 27990 | ············<ns9:test_action_ref>ocil:ssg-service_dhcpd_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 27991 | ··········</ns9:actions> | ||
| 27992 | ········</ns9:questionnaire> | ||
| 27993 | ········<ns9:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"> | 27975 | ········<ns9:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"> |
| 27994 | ··········<ns9:title>Enable·the·NTP·Daemon</ns9:title> | 27976 | ··········<ns9:title>Enable·the·NTP·Daemon</ns9:title> |
| 27995 | ··········<ns9:actions> | 27977 | ··········<ns9:actions> |
| 27996 | ············<ns9:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns9:test_action_ref> | 27978 | ············<ns9:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns9:test_action_ref> |
| 27997 | ··········</ns9:actions> | 27979 | ··········</ns9:actions> |
| 27998 | ········</ns9:questionnaire> | 27980 | ········</ns9:questionnaire> |
| 27999 | ········<ns9:questionnaire·id="ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1"> | 27981 | ········<ns9:questionnaire·id="ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1"> |
| Offset 28028, 44 lines modified | Offset 28010, 14 lines modified | ||
| 28028 | ········</ns9:questionnaire> | 28010 | ········</ns9:questionnaire> |
| 28029 | ········<ns9:questionnaire·id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1"> | 28011 | ········<ns9:questionnaire·id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1"> |
| 28030 | ··········<ns9:title>Disable·snmpd·Service</ns9:title> | 28012 | ··········<ns9:title>Disable·snmpd·Service</ns9:title> |
| 28031 | ··········<ns9:actions> | 28013 | ··········<ns9:actions> |
| 28032 | ············<ns9:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ns9:test_action_ref> | 28014 | ············<ns9:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ns9:test_action_ref> |
| 28033 | ··········</ns9:actions> | 28015 | ··········</ns9:actions> |
| 28034 | ········</ns9:questionnaire> | 28016 | ········</ns9:questionnaire> |
| 28035 | ········<ns9:questionnaire·id="ocil:ssg-disable_anacron_ocil:questionnaire:1"> | ||
| 28036 | ··········<ns9:title>Disable·anacron·Service</ns9:title> | ||
| 28037 | ··········<ns9:actions> | ||
| 28038 | ············<ns9:test_action_ref>ocil:ssg-disable_anacron_action:testaction:1</ns9:test_action_ref> | ||
| 28039 | ··········</ns9:actions> | ||
| 28040 | ········</ns9:questionnaire> | ||
| 28041 | ········<ns9:questionnaire·id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1"> | ||
| 28042 | ··········<ns9:title>Enable·cron·Service</ns9:title> | ||
| 28043 | ··········<ns9:actions> | ||
| 28044 | ············<ns9:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ns9:test_action_ref> | ||
| 28045 | ··········</ns9:actions> | ||
| 28046 | ········</ns9:questionnaire> | ||
| 28047 | ········<ns9:questionnaire·id="ocil:ssg-service_atd_disabled_ocil:questionnaire:1"> | ||
| 28048 | ··········<ns9:title>Disable·At·Service·(atd)</ns9:title> | ||
| 28049 | ··········<ns9:actions> | ||
| 28050 | ············<ns9:test_action_ref>ocil:ssg-service_atd_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 28051 | ··········</ns9:actions> | ||
| 28052 | ········</ns9:questionnaire> | ||
| 28053 | ········<ns9:questionnaire·id="ocil:ssg-xwindows_runlevel_setting_ocil:questionnaire:1"> | ||
| 28054 | ··········<ns9:title>Disable·X·Windows·Startup·By·Setting·Runlevel</ns9:title> | ||
| 28055 | ··········<ns9:actions> | ||
| 28056 | ············<ns9:test_action_ref>ocil:ssg-xwindows_runlevel_setting_action:testaction:1</ns9:test_action_ref> | ||
| 28057 | ··········</ns9:actions> | ||
| Max diff block lines reached; 4629034/4637972 bytes (99.81%) of diff not shown. | |||
| Offset 431, 45 lines modified | Offset 431, 35 lines modified | ||
| 431 | ····<ns0:select·idref="httpd_configure_php_securely"·selected="false"/> | 431 | ····<ns0:select·idref="httpd_configure_php_securely"·selected="false"/> |
| 432 | ····<ns0:select·idref="httpd_minimize_loadable_modules"·selected="false"/> | 432 | ····<ns0:select·idref="httpd_minimize_loadable_modules"·selected="false"/> |
| 433 | ····<ns0:select·idref="httpd_core_modules"·selected="false"/> | 433 | ····<ns0:select·idref="httpd_core_modules"·selected="false"/> |
| 434 | ····<ns0:select·idref="httpd_basic_authentication"·selected="false"/> | 434 | ····<ns0:select·idref="httpd_basic_authentication"·selected="false"/> |
| 435 | ····<ns0:select·idref="httpd_minimize_config_files_included"·selected="false"/> | 435 | ····<ns0:select·idref="httpd_minimize_config_files_included"·selected="false"/> |
| 436 | ····<ns0:select·idref="httpd_optional_components"·selected="false"/> | 436 | ····<ns0:select·idref="httpd_optional_components"·selected="false"/> |
| 437 | ····<ns0:select·idref="sssd"·selected="false"/> | 437 | ····<ns0:select·idref="sssd"·selected="false"/> |
| 438 | ····<ns0:select·idref="dhcp_server_configuration"·selected="false"/> | ||
| 439 | ····<ns0:select·idref="disabling_dhcp_server"·selected="false"/> | ||
| 440 | ····<ns0:select·idref="dhcp_client_configuration"·selected="false"/> | ||
| 441 | ····<ns0:select·idref="printing"·selected="false"/> | 438 | ····<ns0:select·idref="printing"·selected="false"/> |
| 442 | ····<ns0:select·idref="configure_printing"·selected="false"/> | 439 | ····<ns0:select·idref="configure_printing"·selected="false"/> |
| 443 | ····<ns0:select·idref="snmp"·selected="false"/> | 440 | ····<ns0:select·idref="snmp"·selected="false"/> |
| 444 | ····<ns0:select·idref="snmp_configure_server"·selected="false"/> | 441 | ····<ns0:select·idref="snmp_configure_server"·selected="false"/> |
| 445 | ····<ns0:select·idref="disabling_snmp_service"·selected="false"/> | 442 | ····<ns0:select·idref="disabling_snmp_service"·selected="false"/> |
| 446 | ····<ns0:select·idref="restrict_at_cron_users"·selected="false"/> | ||
| 447 | ····<ns0:select·idref="talk"·selected="false"/> | 443 | ····<ns0:select·idref="talk"·selected="false"/> |
| 448 | ····<ns0:select·idref=" | 444 | ····<ns0:select·idref="ldap_server_config_certificate_files"·selected="false"/> |
| 449 | ····<ns0:select·idref=" | 445 | ····<ns0:select·idref="restrict_at_cron_users"·selected="false"/> |
| 450 | ····<ns0:select·idref=" | 446 | ····<ns0:select·idref="proxy"·selected="false"/> |
| 451 | ····<ns0:select·idref=" | 447 | ····<ns0:select·idref="disabling_squid"·selected="false"/> |
| 452 | ····<ns0:select·idref="disabling_nfs"·selected="false"/> | ||
| 453 | ····<ns0:select·idref="disabling_nfs_services"·selected="false"/> | ||
| 454 | ····<ns0:select·idref="disabling_netfs"·selected="false"/> | ||
| 455 | ····<ns0:select·idref="nfs_configuring_all_machines"·selected="false"/> | ||
| 456 | ····<ns0:select·idref="nfs_configure_fixed_ports"·selected="false"/> | ||
| 457 | ····<ns0:select·idref="nfs_client_or_server_not_both"·selected="false"/> | ||
| 458 | ····<ns0:select·idref="disabling_nfsd"·selected="false"/> | ||
| 459 | ····<ns0:select·idref="sshd_strengthen_firewall"·selected="false"/> | ||
| 460 | ····<ns0:select·idref="dns"·selected="false"/> | 448 | ····<ns0:select·idref="dns"·selected="false"/> |
| 461 | ····<ns0:select·idref="dns_server_protection"·selected="false"/> | ||
| 462 | ····<ns0:select·idref="dns_server_separate_internal_external"·selected="false"/> | ||
| 463 | ····<ns0:select·idref="dns_server_partition_with_views"·selected="false"/> | ||
| 464 | ····<ns0:select·idref="dns_server_isolation"·selected="false"/> | 449 | ····<ns0:select·idref="dns_server_isolation"·selected="false"/> |
| 465 | ····<ns0:select·idref="dns_server_chroot"·selected="false"/> | 450 | ····<ns0:select·idref="dns_server_chroot"·selected="false"/> |
| 466 | ····<ns0:select·idref="dns_server_dedicated"·selected="false"/> | 451 | ····<ns0:select·idref="dns_server_dedicated"·selected="false"/> |
| 452 | ····<ns0:select·idref="dns_server_protection"·selected="false"/> | ||
| 453 | ····<ns0:select·idref="dns_server_separate_internal_external"·selected="false"/> | ||
| 454 | ····<ns0:select·idref="dns_server_partition_with_views"·selected="false"/> | ||
| 467 | ····<ns0:select·idref="disabling_dns_server"·selected="false"/> | 455 | ····<ns0:select·idref="disabling_dns_server"·selected="false"/> |
| 468 | ····<ns0:select·idref=" | 456 | ····<ns0:select·idref="dhcp_server_configuration"·selected="false"/> |
| 457 | ····<ns0:select·idref="disabling_dhcp_server"·selected="false"/> | ||
| 458 | ····<ns0:select·idref="dhcp_client_configuration"·selected="false"/> | ||
| 469 | ····<ns0:select·idref="postfix_harden_os"·selected="false"/> | 459 | ····<ns0:select·idref="postfix_harden_os"·selected="false"/> |
| 470 | ····<ns0:select·idref="postfix_configure_ssl_certs"·selected="false"/> | 460 | ····<ns0:select·idref="postfix_configure_ssl_certs"·selected="false"/> |
| 471 | ····<ns0:select·idref="postfix_install_ssl_cert"·selected="false"/> | 461 | ····<ns0:select·idref="postfix_install_ssl_cert"·selected="false"/> |
| 472 | ····<ns0:select·idref="postfix_server_configuration"·selected="false"/> | 462 | ····<ns0:select·idref="postfix_server_configuration"·selected="false"/> |
| 473 | ····<ns0:select·idref="postfix_server_mail_relay"·selected="false"/> | 463 | ····<ns0:select·idref="postfix_server_mail_relay"·selected="false"/> |
| 474 | ····<ns0:select·idref="postfix_server_mail_relay_require_tls_for_smtp_auth"·selected="false"/> | 464 | ····<ns0:select·idref="postfix_server_mail_relay_require_tls_for_smtp_auth"·selected="false"/> |
| 475 | ····<ns0:select·idref="postfix_server_mail_relay_set_trusted_networks"·selected="false"/> | 465 | ····<ns0:select·idref="postfix_server_mail_relay_set_trusted_networks"·selected="false"/> |
| Offset 483, 25 lines modified | Offset 473, 26 lines modified | ||
| 483 | ····<ns0:select·idref="dovecot_enabling_ssl"·selected="false"/> | 473 | ····<ns0:select·idref="dovecot_enabling_ssl"·selected="false"/> |
| 484 | ····<ns0:select·idref="dovecot_allow_imap_access"·selected="false"/> | 474 | ····<ns0:select·idref="dovecot_allow_imap_access"·selected="false"/> |
| 485 | ····<ns0:select·idref="dovecot_support_necessary_protocols"·selected="false"/> | 475 | ····<ns0:select·idref="dovecot_support_necessary_protocols"·selected="false"/> |
| 486 | ····<ns0:select·idref="disabling_dovecot"·selected="false"/> | 476 | ····<ns0:select·idref="disabling_dovecot"·selected="false"/> |
| 487 | ····<ns0:select·idref="disabling_samba"·selected="false"/> | 477 | ····<ns0:select·idref="disabling_samba"·selected="false"/> |
| 488 | ····<ns0:select·idref="smb_disable_printing"·selected="false"/> | 478 | ····<ns0:select·idref="smb_disable_printing"·selected="false"/> |
| 489 | ····<ns0:select·idref="smb_restrict_file_sharing"·selected="false"/> | 479 | ····<ns0:select·idref="smb_restrict_file_sharing"·selected="false"/> |
| 490 | ····<ns0:select·idref=" | 480 | ····<ns0:select·idref="nfs_configuring_servers"·selected="false"/> |
| 491 | ····<ns0:select·idref=" | 481 | ····<ns0:select·idref="export_filesystems_read_only"·selected="false"/> |
| 492 | ····<ns0:select·idref=" | 482 | ····<ns0:select·idref="configure_exports_restrictively"·selected="false"/> |
| 493 | ····<ns0:select·idref=" | 483 | ····<ns0:select·idref="use_acl_enforce_auth_restrictions"·selected="false"/> |
| 494 | ····<ns0:select·idref=" | 484 | ····<ns0:select·idref="disabling_nfs"·selected="false"/> |
| 495 | ····<ns0:select·idref="fi | 485 | ····<ns0:select·idref="disabling_nfs_services"·selected="false"/> |
| 496 | ····<ns0:select·idref=" | 486 | ····<ns0:select·idref="disabling_netfs"·selected="false"/> |
| 497 | ····<ns0:select·idref=" | 487 | ····<ns0:select·idref="nfs_configuring_all_machines"·selected="false"/> |
| 498 | ····<ns0:select·idref=" | 488 | ····<ns0:select·idref="nfs_configure_fixed_ports"·selected="false"/> |
| 499 | ····<ns0:select·idref=" | 489 | ····<ns0:select·idref="nfs_client_or_server_not_both"·selected="false"/> |
| 500 | ····<ns0:select·idref=" | 490 | ····<ns0:select·idref="disabling_nfsd"·selected="false"/> |
| 491 | ····<ns0:select·idref="sshd_strengthen_firewall"·selected="false"/> | ||
| 501 | ····<ns0:select·idref="configure_logwatch_on_logserver"·selected="false"/> | 492 | ····<ns0:select·idref="configure_logwatch_on_logserver"·selected="false"/> |
| 502 | ····<ns0:select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 493 | ····<ns0:select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 503 | ····<ns0:select·idref="network-ipsec"·selected="false"/> | 494 | ····<ns0:select·idref="network-ipsec"·selected="false"/> |
| 504 | ····<ns0:select·idref="iptables_icmp_disabled"·selected="false"/> | 495 | ····<ns0:select·idref="iptables_icmp_disabled"·selected="false"/> |
| 505 | ····<ns0:select·idref="iptables_log_and_drop_suspicious"·selected="false"/> | 496 | ····<ns0:select·idref="iptables_log_and_drop_suspicious"·selected="false"/> |
| 506 | ····<ns0:select·idref="network_ipv6_limit_requests"·selected="false"/> | 497 | ····<ns0:select·idref="network_ipv6_limit_requests"·selected="false"/> |
| 507 | ····<ns0:select·idref="disabling_ipv6"·selected="false"/> | 498 | ····<ns0:select·idref="disabling_ipv6"·selected="false"/> |
| Offset 509, 16 lines modified | Offset 500, 25 lines modified | ||
| 509 | ····<ns0:select·idref="network_disable_unused_interfaces"·selected="false"/> | 500 | ····<ns0:select·idref="network_disable_unused_interfaces"·selected="false"/> |
| 510 | ····<ns0:select·idref="account_expiration"·selected="false"/> | 501 | ····<ns0:select·idref="account_expiration"·selected="false"/> |
| 511 | ····<ns0:select·idref="smart_card_login"·selected="false"/> | 502 | ····<ns0:select·idref="smart_card_login"·selected="false"/> |
| 512 | ····<ns0:select·idref="gui_login_banner"·selected="false"/> | 503 | ····<ns0:select·idref="gui_login_banner"·selected="false"/> |
| 513 | ····<ns0:select·idref="user_umask"·selected="false"/> | 504 | ····<ns0:select·idref="user_umask"·selected="false"/> |
| 514 | ····<ns0:select·idref="entropy"·selected="false"/> | 505 | ····<ns0:select·idref="entropy"·selected="false"/> |
| 515 | ····<ns0:select·idref="daemon_umask"·selected="false"/> | 506 | ····<ns0:select·idref="daemon_umask"·selected="false"/> |
| 516 | ····<ns0:select·idref="coredumps"·selected="false"/> | ||
| 517 | ····<ns0:select·idref="enable_nx"·selected="false"/> | 507 | ····<ns0:select·idref="enable_nx"·selected="false"/> |
| 508 | ····<ns0:select·idref="coredumps"·selected="false"/> | ||
| 509 | ····<ns0:select·idref="sudo"·selected="false"/> | ||
| 510 | ····<ns0:select·idref="fips"·selected="false"/> | ||
| 511 | ····<ns0:select·idref="certified-vendor"·selected="false"/> | ||
| 512 | ····<ns0:select·idref="additional_security_software"·selected="false"/> | ||
| 513 | ····<ns0:select·idref="gnome_media_settings"·selected="false"/> | ||
| 514 | ····<ns0:select·idref="gnome_system_settings"·selected="false"/> | ||
| 515 | ····<ns0:select·idref="gnome_login_screen"·selected="false"/> | ||
| 516 | ····<ns0:select·idref="gnome_network_settings"·selected="false"/> | ||
| 517 | ····<ns0:select·idref="gnome_remote_access_settings"·selected="false"/> | ||
| 518 | ····<ns0:refine-value·idref="inactivity_timeout_value"·selector="15_minutes"/> | 518 | ····<ns0:refine-value·idref="inactivity_timeout_value"·selector="15_minutes"/> |
| 519 | ····<ns0:refine-value·idref="var_accounts_tmout"·selector="10_min"/> | 519 | ····<ns0:refine-value·idref="var_accounts_tmout"·selector="10_min"/> |
| 520 | ····<ns0:refine-value·idref="var_umask_for_daemons"·selector="027"/> | 520 | ····<ns0:refine-value·idref="var_umask_for_daemons"·selector="027"/> |
| 521 | ····<ns0:refine-value·idref="var_accounts_password_minlen_login_defs"·selector="15"/> | 521 | ····<ns0:refine-value·idref="var_accounts_password_minlen_login_defs"·selector="15"/> |
| 522 | ····<ns0:refine-value·idref="var_accounts_maximum_age_login_defs"·selector="90"/> | 522 | ····<ns0:refine-value·idref="var_accounts_maximum_age_login_defs"·selector="90"/> |
| 523 | ····<ns0:refine-value·idref="var_accounts_minimum_age_login_defs"·selector="7"/> | 523 | ····<ns0:refine-value·idref="var_accounts_minimum_age_login_defs"·selector="7"/> |
| 524 | ····<ns0:refine-value·idref="var_accounts_password_warn_age_login_defs"·selector="7"/> | 524 | ····<ns0:refine-value·idref="var_accounts_password_warn_age_login_defs"·selector="7"/> |
| Offset 549, 454 lines modified | Offset 549, 126 lines modified | ||
| 549 | ····<ns0:refine-value·idref="sysctl_net_ipv4_tcp_syncookies_value"·selector="enabled"/> | 549 | ····<ns0:refine-value·idref="sysctl_net_ipv4_tcp_syncookies_value"·selector="enabled"/> |
| 550 | ····<ns0:refine-value·idref="sysctl_net_ipv4_conf_all_rp_filter_value"·selector="enabled"/> | 550 | ····<ns0:refine-value·idref="sysctl_net_ipv4_conf_all_rp_filter_value"·selector="enabled"/> |
| 551 | ····<ns0:refine-value·idref="sysctl_net_ipv4_conf_default_rp_filter_value"·selector="enabled"/> | 551 | ····<ns0:refine-value·idref="sysctl_net_ipv4_conf_default_rp_filter_value"·selector="enabled"/> |
| 552 | ····<ns0:refine-value·idref="file_owner_logfiles_value"·selector="root"/> | 552 | ····<ns0:refine-value·idref="file_owner_logfiles_value"·selector="root"/> |
| 553 | ····<ns0:refine-value·idref="file_groupowner_logfiles_value"·selector="root"/> | 553 | ····<ns0:refine-value·idref="file_groupowner_logfiles_value"·selector="root"/> |
| 554 | ····<ns0:refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 554 | ····<ns0:refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 555 | ··</ns0:Profile> | 555 | ··</ns0:Profile> |
| 556 | ··<ns0:Profile·id=" | 556 | ··<ns0:Profile·id="standard"> |
| 557 | ····<ns0:title·override="true"·xml:lang="en-US"> | 557 | ····<ns0:title·override="true"·xml:lang="en-US">Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</ns0:title> |
| 558 | ····<ns0:description·override="true"·xml:lang="en-US">This·profile· | 558 | ····<ns0:description·override="true"·xml:lang="en-US">This·profile·contains·rules·to·ensure·standard·security·baseline |
| 559 | 559 | of·a·Red·Hat·Enterprise·Linux·6·system.·Regardless·of·your·system's·workload | |
| 560 | all·of·these·checks·should·pass.</ns0:description> | ||
| 560 | This·baseline·was·inspired·by·the·Center·for·Internet·Security | ||
| 561 | (CIS)·Red·Hat·Enterprise·Linux·6·Benchmark,·v1.2.0·-·06-25-2013. | ||
| 562 | For·the·SCAP·Security·Guide·project·to·remain·in·compliance·with | ||
| 563 | CIS'·terms·and·conditions,·specifically·Restrictions(8),·note· | ||
| 564 | there·is·no·representation·or·claim·that·the·C2S·profile·will | ||
| 565 | ensure·a·system·is·in·compliance·or·consistency·with·the·CIS | ||
| 566 | baseline.</ns0:description> | ||
| 567 | ····<ns0:select·idref="partition_for_tmp"·selected="true"/> | 561 | ····<ns0:select·idref="partition_for_tmp"·selected="true"/> |
| 568 | ····<ns0:select·idref="mount_option_tmp_nodev"·selected="true"/> | ||
| 569 | ····<ns0:select·idref="mount_option_tmp_nosuid"·selected="true"/> | ||
| Max diff block lines reached; 2514224/2524208 bytes (99.60%) of diff not shown. | |||
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> | 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> |
| 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> | 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> |
| 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> | 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> |
| 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> | 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> |
| 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> | 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> |
| 31 | ····</ns0:checks> | 31 | ····</ns0:checks> |
| 32 | ··</ns0:data-stream> | 32 | ··</ns0:data-stream> |
| 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="202 | 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-04-28T11:48:50"> |
| 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns3:generator> | 35 | ······<ns3:generator> |
| 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> | 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> |
| 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> | 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> |
| 38 | ········<ns5:schema_version>5.11</ns5:schema_version> | 38 | ········<ns5:schema_version>5.11</ns5:schema_version> |
| 39 | ········<ns5:timestamp>202 | 39 | ········<ns5:timestamp>2020-04-27T21:35:18</ns5:timestamp> |
| 40 | ······</ns3:generator> | 40 | ······</ns3:generator> |
| 41 | ······<ns3:definitions> | 41 | ······<ns3:definitions> |
| 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> | 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> |
| 43 | ··········<ns3:metadata> | 43 | ··········<ns3:metadata> |
| 44 | ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title> | 44 | ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title> |
| 45 | ············<ns3:affected·family="unix"> | 45 | ············<ns3:affected·family="unix"> |
| 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform> | 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform> |
| Offset 31871, 15 lines modified | Offset 31871, 15 lines modified | ||
| 31871 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 31871 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 31872 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 31872 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 31873 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 31873 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 31874 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 31874 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 31875 | ······</ns3:variables> | 31875 | ······</ns3:variables> |
| 31876 | ····</ns3:oval_definitions> | 31876 | ····</ns3:oval_definitions> |
| 31877 | ··</ns0:component> | 31877 | ··</ns0:component> |
| 31878 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="202 | 31878 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-04-28T11:48:50"> |
| 31879 | ····<ns9:ocil> | 31879 | ····<ns9:ocil> |
| 31880 | ······<ns9:generator> | 31880 | ······<ns9:generator> |
| 31881 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> | 31881 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> |
| 31882 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> | 31882 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> |
| 31883 | ········<ns9:schema_version>2.0</ns9:schema_version> | 31883 | ········<ns9:schema_version>2.0</ns9:schema_version> |
| 31884 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> | 31884 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> |
| 31885 | ······</ns9:generator> | 31885 | ······</ns9:generator> |
| Offset 31892, 36 lines modified | Offset 31892, 36 lines modified | ||
| 31892 | ········</ns9:questionnaire> | 31892 | ········</ns9:questionnaire> |
| 31893 | ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> | 31893 | ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> |
| 31894 | ··········<ns9:title>Disable·rlogin·Service</ns9:title> | 31894 | ··········<ns9:title>Disable·rlogin·Service</ns9:title> |
| 31895 | ··········<ns9:actions> | 31895 | ··········<ns9:actions> |
| 31896 | ············<ns9:test_action_ref>ocil:ssg-service_rlogin_disabled_action:testaction:1</ns9:test_action_ref> | 31896 | ············<ns9:test_action_ref>ocil:ssg-service_rlogin_disabled_action:testaction:1</ns9:test_action_ref> |
| 31897 | ··········</ns9:actions> | 31897 | ··········</ns9:actions> |
| 31898 | ········</ns9:questionnaire> | 31898 | ········</ns9:questionnaire> |
| 31899 | ········<ns9:questionnaire·id="ocil:ssg-ser | 31899 | ········<ns9:questionnaire·id="ocil:ssg-no_user_host_based_files_ocil:questionnaire:1"> |
| 31900 | ··········<ns9:title> | 31900 | ··········<ns9:title>Remove·User·Host-Based·Authentication·Files</ns9:title> |
| 31901 | ··········<ns9:actions> | 31901 | ··········<ns9:actions> |
| 31902 | ············<ns9:test_action_ref>ocil:ssg-ser | 31902 | ············<ns9:test_action_ref>ocil:ssg-no_user_host_based_files_action:testaction:1</ns9:test_action_ref> |
| 31903 | ··········</ns9:actions> | 31903 | ··········</ns9:actions> |
| 31904 | ········</ns9:questionnaire> | 31904 | ········</ns9:questionnaire> |
| 31905 | ········<ns9:questionnaire·id="ocil:ssg-no_host_based_files_ocil:questionnaire:1"> | 31905 | ········<ns9:questionnaire·id="ocil:ssg-no_host_based_files_ocil:questionnaire:1"> |
| 31906 | ··········<ns9:title>Remove·Host-Based·Authentication·Files</ns9:title> | 31906 | ··········<ns9:title>Remove·Host-Based·Authentication·Files</ns9:title> |
| 31907 | ··········<ns9:actions> | 31907 | ··········<ns9:actions> |
| 31908 | ············<ns9:test_action_ref>ocil:ssg-no_host_based_files_action:testaction:1</ns9:test_action_ref> | 31908 | ············<ns9:test_action_ref>ocil:ssg-no_host_based_files_action:testaction:1</ns9:test_action_ref> |
| 31909 | ··········</ns9:actions> | 31909 | ··········</ns9:actions> |
| 31910 | ········</ns9:questionnaire> | 31910 | ········</ns9:questionnaire> |
| 31911 | ········<ns9:questionnaire·id="ocil:ssg-service_rsh_disabled_ocil:questionnaire:1"> | 31911 | ········<ns9:questionnaire·id="ocil:ssg-service_rsh_disabled_ocil:questionnaire:1"> |
| 31912 | ··········<ns9:title>Disable·rsh·Service</ns9:title> | 31912 | ··········<ns9:title>Disable·rsh·Service</ns9:title> |
| 31913 | ··········<ns9:actions> | 31913 | ··········<ns9:actions> |
| 31914 | ············<ns9:test_action_ref>ocil:ssg-service_rsh_disabled_action:testaction:1</ns9:test_action_ref> | 31914 | ············<ns9:test_action_ref>ocil:ssg-service_rsh_disabled_action:testaction:1</ns9:test_action_ref> |
| 31915 | ··········</ns9:actions> | 31915 | ··········</ns9:actions> |
| 31916 | ········</ns9:questionnaire> | 31916 | ········</ns9:questionnaire> |
| 31917 | ········<ns9:questionnaire·id="ocil:ssg- | 31917 | ········<ns9:questionnaire·id="ocil:ssg-service_rexec_disabled_ocil:questionnaire:1"> |
| 31918 | ··········<ns9:title> | 31918 | ··········<ns9:title>Disable·rexec·Service</ns9:title> |
| 31919 | ··········<ns9:actions> | 31919 | ··········<ns9:actions> |
| 31920 | ············<ns9:test_action_ref>ocil:ssg- | 31920 | ············<ns9:test_action_ref>ocil:ssg-service_rexec_disabled_action:testaction:1</ns9:test_action_ref> |
| 31921 | ··········</ns9:actions> | 31921 | ··········</ns9:actions> |
| 31922 | ········</ns9:questionnaire> | 31922 | ········</ns9:questionnaire> |
| 31923 | ········<ns9:questionnaire·id="ocil:ssg-package_rsh-server_removed_ocil:questionnaire:1"> | 31923 | ········<ns9:questionnaire·id="ocil:ssg-package_rsh-server_removed_ocil:questionnaire:1"> |
| 31924 | ··········<ns9:title>Uninstall·rsh-server·Package</ns9:title> | 31924 | ··········<ns9:title>Uninstall·rsh-server·Package</ns9:title> |
| 31925 | ··········<ns9:actions> | 31925 | ··········<ns9:actions> |
| 31926 | ············<ns9:test_action_ref>ocil:ssg-package_rsh-server_removed_action:testaction:1</ns9:test_action_ref> | 31926 | ············<ns9:test_action_ref>ocil:ssg-package_rsh-server_removed_action:testaction:1</ns9:test_action_ref> |
| 31927 | ··········</ns9:actions> | 31927 | ··········</ns9:actions> |
| Offset 31976, 38 lines modified | Offset 31976, 38 lines modified | ||
| 31976 | ········</ns9:questionnaire> | 31976 | ········</ns9:questionnaire> |
| 31977 | ········<ns9:questionnaire·id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1"> | 31977 | ········<ns9:questionnaire·id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1"> |
| 31978 | ··········<ns9:title>Disable·tftp·Service</ns9:title> | 31978 | ··········<ns9:title>Disable·tftp·Service</ns9:title> |
| 31979 | ··········<ns9:actions> | 31979 | ··········<ns9:actions> |
| 31980 | ············<ns9:test_action_ref>ocil:ssg-service_tftp_disabled_action:testaction:1</ns9:test_action_ref> | 31980 | ············<ns9:test_action_ref>ocil:ssg-service_tftp_disabled_action:testaction:1</ns9:test_action_ref> |
| 31981 | ··········</ns9:actions> | 31981 | ··········</ns9:actions> |
| 31982 | ········</ns9:questionnaire> | 31982 | ········</ns9:questionnaire> |
| 31983 | ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> | ||
| 31984 | ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title> | ||
| 31985 | ··········<ns9:actions> | ||
| 31986 | ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref> | ||
| 31987 | ··········</ns9:actions> | ||
| 31988 | ········</ns9:questionnaire> | ||
| 31989 | ········<ns9:questionnaire·id="ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1"> | 31983 | ········<ns9:questionnaire·id="ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1"> |
| 31990 | ··········<ns9:title>Uninstall·tftp-server·Package</ns9:title> | 31984 | ··········<ns9:title>Uninstall·tftp-server·Package</ns9:title> |
| 31991 | ··········<ns9:actions> | 31985 | ··········<ns9:actions> |
| 31992 | ············<ns9:test_action_ref>ocil:ssg-package_tftp-server_removed_action:testaction:1</ns9:test_action_ref> | 31986 | ············<ns9:test_action_ref>ocil:ssg-package_tftp-server_removed_action:testaction:1</ns9:test_action_ref> |
| 31993 | ··········</ns9:actions> | 31987 | ··········</ns9:actions> |
| 31994 | ········</ns9:questionnaire> | 31988 | ········</ns9:questionnaire> |
| 31995 | ········<ns9:questionnaire·id="ocil:ssg- | 31989 | ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> |
| 31996 | ··········<ns9:title> | 31990 | ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title> |
| 31997 | ··········<ns9:actions> | 31991 | ··········<ns9:actions> |
| 31998 | ············<ns9:test_action_ref>ocil:ssg- | 31992 | ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref> |
| 31999 | ··········</ns9:actions> | 31993 | ··········</ns9:actions> |
| 32000 | ········</ns9:questionnaire> | 31994 | ········</ns9:questionnaire> |
| 32001 | ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | 31995 | ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> |
| 32002 | ··········<ns9:title>Disable·xinetd·Service</ns9:title> | 31996 | ··········<ns9:title>Disable·xinetd·Service</ns9:title> |
| 32003 | ··········<ns9:actions> | 31997 | ··········<ns9:actions> |
| 32004 | ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref> | 31998 | ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref> |
| 32005 | ··········</ns9:actions> | 31999 | ··········</ns9:actions> |
| 32006 | ········</ns9:questionnaire> | 32000 | ········</ns9:questionnaire> |
| 32001 | ········<ns9:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> | ||
| 32002 | ··········<ns9:title>Install·tcp_wrappers·Package</ns9:title> | ||
| 32003 | ··········<ns9:actions> | ||
| 32004 | ············<ns9:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns9:test_action_ref> | ||
| 32005 | ··········</ns9:actions> | ||
| 32006 | ········</ns9:questionnaire> | ||
| 32007 | ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> | 32007 | ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> |
| 32008 | ··········<ns9:title>Uninstall·xinetd·Package</ns9:title> | 32008 | ··········<ns9:title>Uninstall·xinetd·Package</ns9:title> |
| 32009 | ··········<ns9:actions> | 32009 | ··········<ns9:actions> |
| 32010 | ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref> | 32010 | ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref> |
| 32011 | ··········</ns9:actions> | 32011 | ··········</ns9:actions> |
| 32012 | ········</ns9:questionnaire> | 32012 | ········</ns9:questionnaire> |
| 32013 | ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> | 32013 | ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> |
| Offset 32018, 26 lines modified | Offset 32018, 26 lines modified | ||
| 32018 | ········</ns9:questionnaire> | 32018 | ········</ns9:questionnaire> |
| 32019 | ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> | 32019 | ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> |
| 32020 | ··········<ns9:title>Uninstall·talk-server·Package</ns9:title> | 32020 | ··········<ns9:title>Uninstall·talk-server·Package</ns9:title> |
| 32021 | ··········<ns9:actions> | 32021 | ··········<ns9:actions> |
| 32022 | ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref> | 32022 | ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref> |
| 32023 | ··········</ns9:actions> | 32023 | ··········</ns9:actions> |
| 32024 | ········</ns9:questionnaire> | 32024 | ········</ns9:questionnaire> |
| Max diff block lines reached; 5277576/5287269 bytes (99.82%) of diff not shown. | |||
| Offset 213, 14 lines modified | Offset 213, 266 lines modified | ||
| 213 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 213 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 214 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 214 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 215 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> | 215 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 216 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 216 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 217 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 217 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 218 | ··</ns0:metadata> | 218 | ··</ns0:metadata> |
| 219 | ··<ns0:model·system="urn:xccdf:scoring:default"/> | 219 | ··<ns0:model·system="urn:xccdf:scoring:default"/> |
| 220 | ··<ns0:Profile·id="standard"> | ||
| 221 | ····<ns0:title·override="true"·xml:lang="en-US">Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·7</ns0:title> | ||
| 222 | ····<ns0:description·override="true"·xml:lang="en-US">This·profile·contains·rules·to·ensure·standard·security·baseline | ||
| 223 | of·a·Red·Hat·Enterprise·Linux·7·system.·Regardless·of·your·system's·workload | ||
| 224 | all·of·these·checks·should·pass.</ns0:description> | ||
| 225 | ····<ns0:select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> | ||
| 226 | ····<ns0:select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> | ||
| 227 | ····<ns0:select·idref="rpm_verify_permissions"·selected="true"/> | ||
| 228 | ····<ns0:select·idref="rpm_verify_hashes"·selected="true"/> | ||
| 229 | ····<ns0:select·idref="security_patches_up_to_date"·selected="true"/> | ||
| 230 | ····<ns0:select·idref="no_empty_passwords"·selected="true"/> | ||
| 231 | ····<ns0:select·idref="file_permissions_unauthorized_sgid"·selected="true"/> | ||
| 232 | ····<ns0:select·idref="file_permissions_unauthorized_suid"·selected="true"/> | ||
| 233 | ····<ns0:select·idref="file_permissions_unauthorized_world_writable"·selected="true"/> | ||
| 234 | ····<ns0:select·idref="accounts_root_path_dirs_no_write"·selected="true"/> | ||
| 235 | ····<ns0:select·idref="dir_perms_world_writable_sticky_bits"·selected="true"/> | ||
| 236 | ····<ns0:select·idref="mount_option_dev_shm_nodev"·selected="true"/> | ||
| 237 | ····<ns0:select·idref="mount_option_dev_shm_nosuid"·selected="true"/> | ||
| 238 | ····<ns0:select·idref="partition_for_var_log"·selected="true"/> | ||
| 239 | ····<ns0:select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 240 | ····<ns0:select·idref="package_rsyslog_installed"·selected="true"/> | ||
| 241 | ····<ns0:select·idref="service_rsyslog_enabled"·selected="true"/> | ||
| 242 | ····<ns0:select·idref="audit_rules_time_adjtimex"·selected="true"/> | ||
| 243 | ····<ns0:select·idref="audit_rules_time_settimeofday"·selected="true"/> | ||
| 244 | ····<ns0:select·idref="audit_rules_time_stime"·selected="true"/> | ||
| 245 | ····<ns0:select·idref="audit_rules_time_clock_settime"·selected="true"/> | ||
| 246 | ····<ns0:select·idref="audit_rules_time_watch_localtime"·selected="true"/> | ||
| 247 | ····<ns0:select·idref="audit_rules_usergroup_modification"·selected="true"/> | ||
| 248 | ····<ns0:select·idref="audit_rules_networkconfig_modification"·selected="true"/> | ||
| 249 | ····<ns0:select·idref="audit_rules_mac_modification"·selected="true"/> | ||
| 250 | ····<ns0:select·idref="audit_rules_dac_modification_chmod"·selected="true"/> | ||
| 251 | ····<ns0:select·idref="audit_rules_dac_modification_chown"·selected="true"/> | ||
| 252 | ····<ns0:select·idref="audit_rules_dac_modification_fchmod"·selected="true"/> | ||
| 253 | ····<ns0:select·idref="audit_rules_dac_modification_fchmodat"·selected="true"/> | ||
| 254 | ····<ns0:select·idref="audit_rules_dac_modification_fchown"·selected="true"/> | ||
| 255 | ····<ns0:select·idref="audit_rules_dac_modification_fchownat"·selected="true"/> | ||
| 256 | ····<ns0:select·idref="audit_rules_dac_modification_fremovexattr"·selected="true"/> | ||
| 257 | ····<ns0:select·idref="audit_rules_dac_modification_fsetxattr"·selected="true"/> | ||
| 258 | ····<ns0:select·idref="audit_rules_dac_modification_lchown"·selected="true"/> | ||
| 259 | ····<ns0:select·idref="audit_rules_dac_modification_lremovexattr"·selected="true"/> | ||
| 260 | ····<ns0:select·idref="audit_rules_dac_modification_lsetxattr"·selected="true"/> | ||
| 261 | ····<ns0:select·idref="audit_rules_dac_modification_removexattr"·selected="true"/> | ||
| 262 | ····<ns0:select·idref="audit_rules_dac_modification_setxattr"·selected="true"/> | ||
| 263 | ····<ns0:select·idref="audit_rules_unsuccessful_file_modification"·selected="true"/> | ||
| 264 | ····<ns0:select·idref="audit_rules_privileged_commands"·selected="true"/> | ||
| 265 | ····<ns0:select·idref="audit_rules_media_export"·selected="true"/> | ||
| 266 | ····<ns0:select·idref="audit_rules_file_deletion_events"·selected="true"/> | ||
| 267 | ····<ns0:select·idref="audit_rules_sysadmin_actions"·selected="true"/> | ||
| 268 | ····<ns0:select·idref="audit_rules_kernel_module_loading"·selected="true"/> | ||
| 269 | ····<ns0:select·idref="service_abrtd_disabled"·selected="true"/> | ||
| 270 | ····<ns0:select·idref="service_atd_disabled"·selected="true"/> | ||
| 271 | ····<ns0:select·idref="service_autofs_disabled"·selected="true"/> | ||
| 272 | ····<ns0:select·idref="service_ntpdate_disabled"·selected="true"/> | ||
| 273 | ····<ns0:select·idref="service_oddjobd_disabled"·selected="true"/> | ||
| 274 | ····<ns0:select·idref="service_qpidd_disabled"·selected="true"/> | ||
| 275 | ····<ns0:select·idref="service_rdisc_disabled"·selected="true"/> | ||
| 276 | ····<ns0:select·idref="remediation_functions"·selected="false"/> | ||
| 277 | ····<ns0:select·idref="obsolete"·selected="false"/> | ||
| 278 | ····<ns0:select·idref="r_services"·selected="false"/> | ||
| 279 | ····<ns0:select·idref="telnet"·selected="false"/> | ||
| 280 | ····<ns0:select·idref="nis"·selected="false"/> | ||
| 281 | ····<ns0:select·idref="tftp"·selected="false"/> | ||
| 282 | ····<ns0:select·idref="inetd_and_xinetd"·selected="false"/> | ||
| 283 | ····<ns0:select·idref="talk"·selected="false"/> | ||
| 284 | ····<ns0:select·idref="openstack"·selected="false"/> | ||
| 285 | ····<ns0:select·idref="ftp"·selected="false"/> | ||
| 286 | ····<ns0:select·idref="ftp_configure_vsftpd"·selected="false"/> | ||
| 287 | ····<ns0:select·idref="ftp_configure_firewall"·selected="false"/> | ||
| 288 | ····<ns0:select·idref="ftp_restrict_users"·selected="false"/> | ||
| 289 | ····<ns0:select·idref="ftp_limit_users"·selected="false"/> | ||
| 290 | ····<ns0:select·idref="ftp_use_vsftpd"·selected="false"/> | ||
| 291 | ····<ns0:select·idref="disabling_vsftpd"·selected="false"/> | ||
| 292 | ····<ns0:select·idref="snmp"·selected="false"/> | ||
| 293 | ····<ns0:select·idref="snmp_configure_server"·selected="false"/> | ||
| 294 | ····<ns0:select·idref="disabling_snmp_service"·selected="false"/> | ||
| 295 | ····<ns0:select·idref="restrict_at_cron_users"·selected="false"/> | ||
| 296 | ····<ns0:select·idref="xwindows"·selected="false"/> | ||
| 297 | ····<ns0:select·idref="disabling_xwindows"·selected="false"/> | ||
| 298 | ····<ns0:select·idref="routing"·selected="false"/> | ||
| 299 | ····<ns0:select·idref="disabling_quagga"·selected="false"/> | ||
| 300 | ····<ns0:select·idref="dns"·selected="false"/> | ||
| 301 | ····<ns0:select·idref="dns_server_isolation"·selected="false"/> | ||
| 302 | ····<ns0:select·idref="dns_server_chroot"·selected="false"/> | ||
| 303 | ····<ns0:select·idref="dns_server_dedicated"·selected="false"/> | ||
| 304 | ····<ns0:select·idref="dns_server_protection"·selected="false"/> | ||
| 305 | ····<ns0:select·idref="dns_server_separate_internal_external"·selected="false"/> | ||
| 306 | ····<ns0:select·idref="dns_server_partition_with_views"·selected="false"/> | ||
| 307 | ····<ns0:select·idref="disabling_dns_server"·selected="false"/> | ||
| 308 | ····<ns0:select·idref="ldap"·selected="false"/> | ||
| 309 | ····<ns0:select·idref="openldap_server"·selected="false"/> | ||
| 310 | ····<ns0:select·idref="ldap_server_config_certificate_files"·selected="false"/> | ||
| 311 | ····<ns0:select·idref="openldap_client"·selected="false"/> | ||
| 312 | ····<ns0:select·idref="dhcp"·selected="false"/> | ||
| 313 | ····<ns0:select·idref="disabling_dhcp_client"·selected="false"/> | ||
| 314 | ····<ns0:select·idref="dhcp_server_configuration"·selected="false"/> | ||
| 315 | ····<ns0:select·idref="dhcp_server_minimize_served_info"·selected="false"/> | ||
| 316 | ····<ns0:select·idref="disabling_dhcp_server"·selected="false"/> | ||
| 317 | ····<ns0:select·idref="dhcp_client_configuration"·selected="false"/> | ||
| 318 | ····<ns0:select·idref="dhcp_client_restrict_options"·selected="false"/> | ||
| 319 | ····<ns0:select·idref="smb"·selected="false"/> | ||
| 320 | ····<ns0:select·idref="disabling_samba"·selected="false"/> | ||
| 321 | ····<ns0:select·idref="configuring_samba"·selected="false"/> | ||
| 322 | ····<ns0:select·idref="smb_disable_printing"·selected="false"/> | ||
| 323 | ····<ns0:select·idref="smb_restrict_file_sharing"·selected="false"/> | ||
| 324 | ····<ns0:select·idref="http"·selected="false"/> | ||
| 325 | ····<ns0:select·idref="installing_httpd"·selected="false"/> | ||
| 326 | ····<ns0:select·idref="httpd_minimal_modules_installed"·selected="false"/> | ||
| 327 | ····<ns0:select·idref="disabling_httpd"·selected="false"/> | ||
| 328 | ····<ns0:select·idref="securing_httpd"·selected="false"/> | ||
| 329 | ····<ns0:select·idref="httpd_restrict_info_leakage"·selected="false"/> | ||
| 330 | ····<ns0:select·idref="httpd_configure_os_protect_web_server"·selected="false"/> | ||
| 331 | ····<ns0:select·idref="httpd_chroot"·selected="false"/> | ||
| 332 | ····<ns0:select·idref="httpd_restrict_file_dir_access"·selected="false"/> | ||
| 333 | ····<ns0:select·idref="httpd_use_dos_protection_modules"·selected="false"/> | ||
| 334 | ····<ns0:select·idref="httpd_modules_improve_security"·selected="false"/> | ||
| 335 | ····<ns0:select·idref="httpd_deploy_mod_security"·selected="false"/> | ||
| 336 | ····<ns0:select·idref="httpd_deploy_mod_ssl"·selected="false"/> | ||
| 337 | ····<ns0:select·idref="httpd_directory_restrictions"·selected="false"/> | ||
| 338 | ····<ns0:select·idref="httpd_configure_php_securely"·selected="false"/> | ||
| 339 | ····<ns0:select·idref="httpd_minimize_loadable_modules"·selected="false"/> | ||
| Max diff block lines reached; 1890155/1907514 bytes (99.09%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:27</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_rhel7:def:1"·version="1"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_rhel7:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Red·Hat·Enterprise·Linux·7</ns0:title> | 12 | ········<ns0:title>Red·Hat·Enterprise·Linux·7</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:reference·ref_id="cpe:/o:redhat:enterprise_linux:7"·source="CPE"/> | 14 | ········<ns0:reference·ref_id="cpe:/o:redhat:enterprise_linux:7"·source="CPE"/> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"·timestamp="202 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"·timestamp="2020-04-28T11:48:39"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>202 | 31 | ········<ns2:timestamp>2020-04-27T21:33:27</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1"> | 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title> | 36 | ············<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title> |
| 37 | ············<ns0:affected·family="unix"/> | 37 | ············<ns0:affected·family="unix"/> |
| 38 | ············<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description> | 38 | ············<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description> |
| Offset 4847, 15 lines modified | Offset 4847, 15 lines modified | ||
| 4847 | ········</ns3:textfilecontent54_state> | 4847 | ········</ns3:textfilecontent54_state> |
| 4848 | ········<ns3:textfilecontent54_state·id="oval:ssg-state_remote_filesystem_nosuid:ste:1"·version="1"> | 4848 | ········<ns3:textfilecontent54_state·id="oval:ssg-state_remote_filesystem_nosuid:ste:1"·version="1"> |
| 4849 | ··········<ns3:subexpression·operation="pattern·match">^.*nosuid.*$</ns3:subexpression> | 4849 | ··········<ns3:subexpression·operation="pattern·match">^.*nosuid.*$</ns3:subexpression> |
| 4850 | ········</ns3:textfilecontent54_state> | 4850 | ········</ns3:textfilecontent54_state> |
| 4851 | ······</ns0:states> | 4851 | ······</ns0:states> |
| 4852 | ····</ns0:oval_definitions> | 4852 | ····</ns0:oval_definitions> |
| 4853 | ··</ds:component> | 4853 | ··</ds:component> |
| 4854 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"·timestamp="202 | 4854 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"·timestamp="2020-04-28T11:48:39"> |
| 4855 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 4855 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 4856 | ······<ns0:generator> | 4856 | ······<ns0:generator> |
| 4857 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 4857 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 4858 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 4858 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 4859 | ········<ns0:schema_version>2.0</ns0:schema_version> | 4859 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 4860 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 4860 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 4861 | ······</ns0:generator> | 4861 | ······</ns0:generator> |
| Offset 5522, 15 lines modified | Offset 5522, 15 lines modified | ||
| 5522 | If·the·system·is·configured·to·watch·for·account·changes,·lines·should·be·returned·for | 5522 | If·the·system·is·configured·to·watch·for·account·changes,·lines·should·be·returned·for |
| 5523 | each·file·specified·(and·with·perm=wa·for·each). | 5523 | each·file·specified·(and·with·perm=wa·for·each). |
| 5524 | » » » Is·it·the·case·that·the·system·is·not·configured·to·audit·account·changes?</ns0:question_text> | 5524 | » » » Is·it·the·case·that·the·system·is·not·configured·to·audit·account·changes?</ns0:question_text> |
| 5525 | ········</ns0:boolean_question> | 5525 | ········</ns0:boolean_question> |
| 5526 | ······</ns0:questions> | 5526 | ······</ns0:questions> |
| 5527 | ····</ns0:ocil> | 5527 | ····</ns0:ocil> |
| 5528 | ··</ds:component> | 5528 | ··</ds:component> |
| 5529 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-xccdf-1.2.xml"·timestamp="202 | 5529 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-xccdf-1.2.xml"·timestamp="2020-04-28T11:49:05"> |
| 5530 | ····<Benchmark·id="xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"·resolved="1"·style="SCAP_1.2"·xml:lang="en-US"·xmlns="http://checklists.nist.gov/xccdf/1.2"> | 5530 | ····<Benchmark·id="xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"·resolved="1"·style="SCAP_1.2"·xml:lang="en-US"·xmlns="http://checklists.nist.gov/xccdf/1.2"> |
| 5531 | ······<status·date="2018-07-26">draft</status> | 5531 | ······<status·date="2018-07-26">draft</status> |
| 5532 | ······<title·xml:lang="en-US">Guide·to·the·Secure·Configuration·of·Red·Hat·OpenStack·Platform·7</title> | 5532 | ······<title·xml:lang="en-US">Guide·to·the·Secure·Configuration·of·Red·Hat·OpenStack·Platform·7</title> |
| 5533 | ······<description·xml:lang="en-US"> | 5533 | ······<description·xml:lang="en-US"> |
| 5534 | ········This·guide·presents·a·catalog·of·security-relevant | 5534 | ········This·guide·presents·a·catalog·of·security-relevant |
| 5535 | configuration·settings·for·Red·Hat·OpenStack·Platform·7.·It·is·a·rendering·of | 5535 | configuration·settings·for·Red·Hat·OpenStack·Platform·7.·It·is·a·rendering·of |
| 5536 | content·structured·in·the·eXtensible·Configuration·Checklist·Description·Format·(XCCDF) | 5536 | content·structured·in·the·eXtensible·Configuration·Checklist·Description·Format·(XCCDF) |
| Offset 5750, 20 lines modified | Offset 5750, 20 lines modified | ||
| 5750 | ········<select·idref="xccdf_org.ssgproject.content_group_cron_and_at"·selected="false"/> | 5750 | ········<select·idref="xccdf_org.ssgproject.content_group_cron_and_at"·selected="false"/> |
| 5751 | ········<select·idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users"·selected="false"/> | 5751 | ········<select·idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users"·selected="false"/> |
| 5752 | ········<select·idref="xccdf_org.ssgproject.content_group_xwindows"·selected="false"/> | 5752 | ········<select·idref="xccdf_org.ssgproject.content_group_xwindows"·selected="false"/> |
| 5753 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_xwindows"·selected="false"/> | 5753 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_xwindows"·selected="false"/> |
| 5754 | ········<select·idref="xccdf_org.ssgproject.content_group_routing"·selected="false"/> | 5754 | ········<select·idref="xccdf_org.ssgproject.content_group_routing"·selected="false"/> |
| 5755 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_quagga"·selected="false"/> | 5755 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_quagga"·selected="false"/> |
| 5756 | ········<select·idref="xccdf_org.ssgproject.content_group_dns"·selected="false"/> | 5756 | ········<select·idref="xccdf_org.ssgproject.content_group_dns"·selected="false"/> |
| 5757 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_protection"·selected="false"/> | ||
| 5758 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·selected="false"/> | ||
| 5759 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views"·selected="false"/> | ||
| 5760 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_isolation"·selected="false"/> | 5757 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_isolation"·selected="false"/> |
| 5761 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_chroot"·selected="false"/> | 5758 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_chroot"·selected="false"/> |
| 5762 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_dedicated"·selected="false"/> | 5759 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_dedicated"·selected="false"/> |
| 5760 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_protection"·selected="false"/> | ||
| 5761 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external"·selected="false"/> | ||
| 5762 | ········<select·idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views"·selected="false"/> | ||
| 5763 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_dns_server"·selected="false"/> | 5763 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_dns_server"·selected="false"/> |
| 5764 | ········<select·idref="xccdf_org.ssgproject.content_group_ldap"·selected="false"/> | 5764 | ········<select·idref="xccdf_org.ssgproject.content_group_ldap"·selected="false"/> |
| 5765 | ········<select·idref="xccdf_org.ssgproject.content_group_openldap_server"·selected="false"/> | 5765 | ········<select·idref="xccdf_org.ssgproject.content_group_openldap_server"·selected="false"/> |
| 5766 | ········<select·idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files"·selected="false"/> | 5766 | ········<select·idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files"·selected="false"/> |
| 5767 | ········<select·idref="xccdf_org.ssgproject.content_group_openldap_client"·selected="false"/> | 5767 | ········<select·idref="xccdf_org.ssgproject.content_group_openldap_client"·selected="false"/> |
| 5768 | ········<select·idref="xccdf_org.ssgproject.content_group_dhcp"·selected="false"/> | 5768 | ········<select·idref="xccdf_org.ssgproject.content_group_dhcp"·selected="false"/> |
| 5769 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·selected="false"/> | 5769 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·selected="false"/> |
| Offset 5843, 57 lines modified | Offset 5843, 57 lines modified | ||
| 5843 | ········<select·idref="xccdf_org.ssgproject.content_group_avahi_configuration"·selected="false"/> | 5843 | ········<select·idref="xccdf_org.ssgproject.content_group_avahi_configuration"·selected="false"/> |
| 5844 | ········<select·idref="xccdf_org.ssgproject.content_group_ssh"·selected="false"/> | 5844 | ········<select·idref="xccdf_org.ssgproject.content_group_ssh"·selected="false"/> |
| 5845 | ········<select·idref="xccdf_org.ssgproject.content_group_ssh_server"·selected="false"/> | 5845 | ········<select·idref="xccdf_org.ssgproject.content_group_ssh_server"·selected="false"/> |
| 5846 | ········<select·idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall"·selected="false"/> | 5846 | ········<select·idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall"·selected="false"/> |
| 5847 | ········<select·idref="xccdf_org.ssgproject.content_group_intro"·selected="false"/> | 5847 | ········<select·idref="xccdf_org.ssgproject.content_group_intro"·selected="false"/> |
| 5848 | ········<select·idref="xccdf_org.ssgproject.content_group_general-principles"·selected="false"/> | 5848 | ········<select·idref="xccdf_org.ssgproject.content_group_general-principles"·selected="false"/> |
| 5849 | ········<select·idref="xccdf_org.ssgproject.content_group_principle-minimize-software"·selected="false"/> | 5849 | ········<select·idref="xccdf_org.ssgproject.content_group_principle-minimize-software"·selected="false"/> |
| 5850 | ········<select·idref="xccdf_org.ssgproject.content_group_principle-use-security-tools"·selected="false"/> | ||
| 5851 | ········<select·idref="xccdf_org.ssgproject.content_group_principle-least-privilege"·selected="false"/> | 5850 | ········<select·idref="xccdf_org.ssgproject.content_group_principle-least-privilege"·selected="false"/> |
| 5851 | ········<select·idref="xccdf_org.ssgproject.content_group_principle-use-security-tools"·selected="false"/> | ||
| 5852 | ········<select·idref="xccdf_org.ssgproject.content_group_principle-separate-servers"·selected="false"/> | 5852 | ········<select·idref="xccdf_org.ssgproject.content_group_principle-separate-servers"·selected="false"/> |
| 5853 | ········<select·idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·selected="false"/> | 5853 | ········<select·idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"·selected="false"/> |
| 5854 | ········<select·idref="xccdf_org.ssgproject.content_group_how-to-use"·selected="false"/> | 5854 | ········<select·idref="xccdf_org.ssgproject.content_group_how-to-use"·selected="false"/> |
| 5855 | ········<select·idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions"·selected="false"/> | 5855 | ········<select·idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions"·selected="false"/> |
| 5856 | ········<select·idref="xccdf_org.ssgproject.content_group_intro-test-non-production"·selected="false"/> | 5856 | ········<select·idref="xccdf_org.ssgproject.content_group_intro-test-non-production"·selected="false"/> |
| 5857 | ········<select·idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely"·selected="false"/> | 5857 | ········<select·idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely"·selected="false"/> |
| 5858 | ········<select·idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed"·selected="false"/> | 5858 | ········<select·idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed"·selected="false"/> |
| 5859 | ········<select·idref="xccdf_org.ssgproject.content_group_intro-reboot-required"·selected="false"/> | 5859 | ········<select·idref="xccdf_org.ssgproject.content_group_intro-reboot-required"·selected="false"/> |
| 5860 | ········<select·idref="xccdf_org.ssgproject.content_group_system"·selected="false"/> | 5860 | ········<select·idref="xccdf_org.ssgproject.content_group_system"·selected="false"/> |
| 5861 | ········<select·idref="xccdf_org.ssgproject.content_group_logging"·selected="false"/> | 5861 | ········<select·idref="xccdf_org.ssgproject.content_group_logging"·selected="false"/> |
| 5862 | ········<select·idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages"·selected="false"/> | 5862 | ········<select·idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages"·selected="false"/> |
| 5863 | ········<select·idref="xccdf_org.ssgproject.content_group_log_rotation"·selected="false"/> | ||
| 5863 | ········<select·idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·selected="false"/> | 5864 | ········<select·idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration"·selected="false"/> |
| 5864 | ········<select·idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver"·selected="false"/> | 5865 | ········<select·idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver"·selected="false"/> |
| 5865 | ········<select·idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·selected="false"/> | 5866 | ········<select·idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·selected="false"/> |
| 5866 | ········<select·idref="xccdf_org.ssgproject.content_group_log_rotation"·selected="false"/> | ||
| 5867 | ········<select·idref="xccdf_org.ssgproject.content_group_network"·selected="false"/> | 5867 | ········<select·idref="xccdf_org.ssgproject.content_group_network"·selected="false"/> |
| 5868 | ········<select·idref="xccdf_org.ssgproject.content_group_network-firewalld"·selected="false"/> | ||
| 5869 | ········<select·idref="xccdf_org.ssgproject.content_group_ruleset_modifications"·selected="false"/> | ||
| 5870 | ········<select·idref="xccdf_org.ssgproject.content_group_firewalld_activation"·selected="false"/> | ||
| 5871 | ········<select·idref="xccdf_org.ssgproject.content_group_network-ipsec"·selected="false"/> | ||
| 5868 | ········<select·idref="xccdf_org.ssgproject.content_group_network-ipv6"·selected="false"/> | 5872 | ········<select·idref="xccdf_org.ssgproject.content_group_network-ipv6"·selected="false"/> |
| 5869 | ········<select·idref="xccdf_org.ssgproject.content_group_configuring_ipv6"·selected="false"/> | 5873 | ········<select·idref="xccdf_org.ssgproject.content_group_configuring_ipv6"·selected="false"/> |
| 5870 | ········<select·idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests"·selected="false"/> | 5874 | ········<select·idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests"·selected="false"/> |
| 5871 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig"·selected="false"/> | 5875 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig"·selected="false"/> |
| 5872 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_ipv6"·selected="false"/> | 5876 | ········<select·idref="xccdf_org.ssgproject.content_group_disabling_ipv6"·selected="false"/> |
| 5873 | ········<select·idref="xccdf_org.ssgproject.content_group_network-ipsec"·selected="false"/> | ||
| 5874 | ········<select·idref="xccdf_org.ssgproject.content_group_network-firewalld"·selected="false"/> | ||
| 5875 | ········<select·idref="xccdf_org.ssgproject.content_group_ruleset_modifications"·selected="false"/> | ||
| 5876 | ········<select·idref="xccdf_org.ssgproject.content_group_firewalld_activation"·selected="false"/> | ||
| 5877 | ········<select·idref="xccdf_org.ssgproject.content_group_network-kernel"·selected="false"/> | 5877 | ········<select·idref="xccdf_org.ssgproject.content_group_network-kernel"·selected="false"/> |
| 5878 | ········<select·idref="xccdf_org.ssgproject.content_group_network_host_and_router_parameters"·selected="false"/> | 5878 | ········<select·idref="xccdf_org.ssgproject.content_group_network_host_and_router_parameters"·selected="false"/> |
| 5879 | ········<select·idref="xccdf_org.ssgproject.content_group_network_host_parameters"·selected="false"/> | 5879 | ········<select·idref="xccdf_org.ssgproject.content_group_network_host_parameters"·selected="false"/> |
| 5880 | ········<select·idref="xccdf_org.ssgproject.content_group_network_ssl"·selected="false"/> | 5880 | ········<select·idref="xccdf_org.ssgproject.content_group_network_ssl"·selected="false"/> |
| 5881 | ········<select·idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces"·selected="false"/> | 5881 | ········<select·idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces"·selected="false"/> |
| 5882 | ········<select·idref="xccdf_org.ssgproject.content_group_network-uncommon"·selected="false"/> | 5882 | ········<select·idref="xccdf_org.ssgproject.content_group_network-uncommon"·selected="false"/> |
| 5883 | ········<select·idref="xccdf_org.ssgproject.content_group_network-wireless"·selected="false"/> | 5883 | ········<select·idref="xccdf_org.ssgproject.content_group_network-wireless"·selected="false"/> |
| 5884 | ········<select·idref="xccdf_org.ssgproject.content_group_wireless_software"·selected="false"/> | 5884 | ········<select·idref="xccdf_org.ssgproject.content_group_wireless_software"·selected="false"/> |
| 5885 | ········<select·idref="xccdf_org.ssgproject.content_group_selinux"·selected="false"/> | 5885 | ········<select·idref="xccdf_org.ssgproject.content_group_selinux"·selected="false"/> |
| Max diff block lines reached; 338866/350578 bytes (96.66%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:27</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title> | 12 | ········<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description> | 14 | ········<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description> |
| Offset 222, 20 lines modified | Offset 222, 20 lines modified | ||
| 222 | ····<select·idref="cron_and_at"·selected="false"/> | 222 | ····<select·idref="cron_and_at"·selected="false"/> |
| 223 | ····<select·idref="restrict_at_cron_users"·selected="false"/> | 223 | ····<select·idref="restrict_at_cron_users"·selected="false"/> |
| 224 | ····<select·idref="xwindows"·selected="false"/> | 224 | ····<select·idref="xwindows"·selected="false"/> |
| 225 | ····<select·idref="disabling_xwindows"·selected="false"/> | 225 | ····<select·idref="disabling_xwindows"·selected="false"/> |
| 226 | ····<select·idref="routing"·selected="false"/> | 226 | ····<select·idref="routing"·selected="false"/> |
| 227 | ····<select·idref="disabling_quagga"·selected="false"/> | 227 | ····<select·idref="disabling_quagga"·selected="false"/> |
| 228 | ····<select·idref="dns"·selected="false"/> | 228 | ····<select·idref="dns"·selected="false"/> |
| 229 | ····<select·idref="dns_server_protection"·selected="false"/> | ||
| 230 | ····<select·idref="dns_server_separate_internal_external"·selected="false"/> | ||
| 231 | ····<select·idref="dns_server_partition_with_views"·selected="false"/> | ||
| 232 | ····<select·idref="dns_server_isolation"·selected="false"/> | 229 | ····<select·idref="dns_server_isolation"·selected="false"/> |
| 233 | ····<select·idref="dns_server_chroot"·selected="false"/> | 230 | ····<select·idref="dns_server_chroot"·selected="false"/> |
| 234 | ····<select·idref="dns_server_dedicated"·selected="false"/> | 231 | ····<select·idref="dns_server_dedicated"·selected="false"/> |
| 232 | ····<select·idref="dns_server_protection"·selected="false"/> | ||
| 233 | ····<select·idref="dns_server_separate_internal_external"·selected="false"/> | ||
| 234 | ····<select·idref="dns_server_partition_with_views"·selected="false"/> | ||
| 235 | ····<select·idref="disabling_dns_server"·selected="false"/> | 235 | ····<select·idref="disabling_dns_server"·selected="false"/> |
| 236 | ····<select·idref="ldap"·selected="false"/> | 236 | ····<select·idref="ldap"·selected="false"/> |
| 237 | ····<select·idref="openldap_server"·selected="false"/> | 237 | ····<select·idref="openldap_server"·selected="false"/> |
| 238 | ····<select·idref="ldap_server_config_certificate_files"·selected="false"/> | 238 | ····<select·idref="ldap_server_config_certificate_files"·selected="false"/> |
| 239 | ····<select·idref="openldap_client"·selected="false"/> | 239 | ····<select·idref="openldap_client"·selected="false"/> |
| 240 | ····<select·idref="dhcp"·selected="false"/> | 240 | ····<select·idref="dhcp"·selected="false"/> |
| 241 | ····<select·idref="disabling_dhcp_client"·selected="false"/> | 241 | ····<select·idref="disabling_dhcp_client"·selected="false"/> |
| Offset 315, 57 lines modified | Offset 315, 57 lines modified | ||
| 315 | ····<select·idref="avahi_configuration"·selected="false"/> | 315 | ····<select·idref="avahi_configuration"·selected="false"/> |
| 316 | ····<select·idref="ssh"·selected="false"/> | 316 | ····<select·idref="ssh"·selected="false"/> |
| 317 | ····<select·idref="ssh_server"·selected="false"/> | 317 | ····<select·idref="ssh_server"·selected="false"/> |
| 318 | ····<select·idref="sshd_strengthen_firewall"·selected="false"/> | 318 | ····<select·idref="sshd_strengthen_firewall"·selected="false"/> |
| 319 | ····<select·idref="intro"·selected="false"/> | 319 | ····<select·idref="intro"·selected="false"/> |
| 320 | ····<select·idref="general-principles"·selected="false"/> | 320 | ····<select·idref="general-principles"·selected="false"/> |
| 321 | ····<select·idref="principle-minimize-software"·selected="false"/> | 321 | ····<select·idref="principle-minimize-software"·selected="false"/> |
| 322 | ····<select·idref="principle-use-security-tools"·selected="false"/> | ||
| 323 | ····<select·idref="principle-least-privilege"·selected="false"/> | 322 | ····<select·idref="principle-least-privilege"·selected="false"/> |
| 323 | ····<select·idref="principle-use-security-tools"·selected="false"/> | ||
| 324 | ····<select·idref="principle-separate-servers"·selected="false"/> | 324 | ····<select·idref="principle-separate-servers"·selected="false"/> |
| 325 | ····<select·idref="principle-encrypt-transmitted-data"·selected="false"/> | 325 | ····<select·idref="principle-encrypt-transmitted-data"·selected="false"/> |
| 326 | ····<select·idref="how-to-use"·selected="false"/> | 326 | ····<select·idref="how-to-use"·selected="false"/> |
| 327 | ····<select·idref="intro-formatting-conventions"·selected="false"/> | 327 | ····<select·idref="intro-formatting-conventions"·selected="false"/> |
| 328 | ····<select·idref="intro-test-non-production"·selected="false"/> | 328 | ····<select·idref="intro-test-non-production"·selected="false"/> |
| 329 | ····<select·idref="intro-read-sections-completely"·selected="false"/> | 329 | ····<select·idref="intro-read-sections-completely"·selected="false"/> |
| 330 | ····<select·idref="intro-root-shell-assumed"·selected="false"/> | 330 | ····<select·idref="intro-root-shell-assumed"·selected="false"/> |
| 331 | ····<select·idref="intro-reboot-required"·selected="false"/> | 331 | ····<select·idref="intro-reboot-required"·selected="false"/> |
| 332 | ····<select·idref="system"·selected="false"/> | 332 | ····<select·idref="system"·selected="false"/> |
| 333 | ····<select·idref="logging"·selected="false"/> | 333 | ····<select·idref="logging"·selected="false"/> |
| 334 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 334 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 335 | ····<select·idref="log_rotation"·selected="false"/> | ||
| 335 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> | 336 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> |
| 336 | ····<select·idref="configure_logwatch_on_logserver"·selected="false"/> | 337 | ····<select·idref="configure_logwatch_on_logserver"·selected="false"/> |
| 337 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 338 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 338 | ····<select·idref="log_rotation"·selected="false"/> | ||
| 339 | ····<select·idref="network"·selected="false"/> | 339 | ····<select·idref="network"·selected="false"/> |
| 340 | ····<select·idref="network-firewalld"·selected="false"/> | ||
| 341 | ····<select·idref="ruleset_modifications"·selected="false"/> | ||
| 342 | ····<select·idref="firewalld_activation"·selected="false"/> | ||
| 343 | ····<select·idref="network-ipsec"·selected="false"/> | ||
| 340 | ····<select·idref="network-ipv6"·selected="false"/> | 344 | ····<select·idref="network-ipv6"·selected="false"/> |
| 341 | ····<select·idref="configuring_ipv6"·selected="false"/> | 345 | ····<select·idref="configuring_ipv6"·selected="false"/> |
| 342 | ····<select·idref="network_ipv6_limit_requests"·selected="false"/> | 346 | ····<select·idref="network_ipv6_limit_requests"·selected="false"/> |
| 343 | ····<select·idref="disabling_ipv6_autoconfig"·selected="false"/> | 347 | ····<select·idref="disabling_ipv6_autoconfig"·selected="false"/> |
| 344 | ····<select·idref="disabling_ipv6"·selected="false"/> | 348 | ····<select·idref="disabling_ipv6"·selected="false"/> |
| 345 | ····<select·idref="network-ipsec"·selected="false"/> | ||
| 346 | ····<select·idref="network-firewalld"·selected="false"/> | ||
| 347 | ····<select·idref="ruleset_modifications"·selected="false"/> | ||
| 348 | ····<select·idref="firewalld_activation"·selected="false"/> | ||
| 349 | ····<select·idref="network-kernel"·selected="false"/> | 349 | ····<select·idref="network-kernel"·selected="false"/> |
| 350 | ····<select·idref="network_host_and_router_parameters"·selected="false"/> | 350 | ····<select·idref="network_host_and_router_parameters"·selected="false"/> |
| 351 | ····<select·idref="network_host_parameters"·selected="false"/> | 351 | ····<select·idref="network_host_parameters"·selected="false"/> |
| 352 | ····<select·idref="network_ssl"·selected="false"/> | 352 | ····<select·idref="network_ssl"·selected="false"/> |
| 353 | ····<select·idref="network_disable_unused_interfaces"·selected="false"/> | 353 | ····<select·idref="network_disable_unused_interfaces"·selected="false"/> |
| 354 | ····<select·idref="network-uncommon"·selected="false"/> | 354 | ····<select·idref="network-uncommon"·selected="false"/> |
| 355 | ····<select·idref="network-wireless"·selected="false"/> | 355 | ····<select·idref="network-wireless"·selected="false"/> |
| 356 | ····<select·idref="wireless_software"·selected="false"/> | 356 | ····<select·idref="wireless_software"·selected="false"/> |
| 357 | ····<select·idref="selinux"·selected="false"/> | 357 | ····<select·idref="selinux"·selected="false"/> |
| 358 | ····<select·idref="selinux-booleans"·selected="false"/> | 358 | ····<select·idref="selinux-booleans"·selected="false"/> |
| 359 | ····<select·idref="accounts"·selected="false"/> | 359 | ····<select·idref="accounts"·selected="false"/> |
| 360 | ····<select·idref="accounts-restrictions"·selected="false"/> | 360 | ····<select·idref="accounts-restrictions"·selected="false"/> |
| 361 | ····<select·idref="password_expiration"·selected="false"/> | 361 | ····<select·idref="password_expiration"·selected="false"/> |
| 362 | ····<select·idref="root_logins"·selected="false"/> | 362 | ····<select·idref="root_logins"·selected="false"/> |
| 363 | ····<select·idref="account_expiration"·selected="false"/> | ||
| 364 | ····<select·idref="password_storage"·selected="false"/> | 363 | ····<select·idref="password_storage"·selected="false"/> |
| 364 | ····<select·idref="account_expiration"·selected="false"/> | ||
| 365 | ····<select·idref="accounts-pam"·selected="false"/> | 365 | ····<select·idref="accounts-pam"·selected="false"/> |
| 366 | ····<select·idref="set_password_hashing_algorithm"·selected="false"/> | 366 | ····<select·idref="set_password_hashing_algorithm"·selected="false"/> |
| 367 | ····<select·idref="locking_out_password_attempts"·selected="false"/> | 367 | ····<select·idref="locking_out_password_attempts"·selected="false"/> |
| 368 | ····<select·idref="password_quality"·selected="false"/> | 368 | ····<select·idref="password_quality"·selected="false"/> |
| 369 | ····<select·idref="password_quality_pwquality"·selected="false"/> | 369 | ····<select·idref="password_quality_pwquality"·selected="false"/> |
| 370 | ····<select·idref="accounts-physical"·selected="false"/> | 370 | ····<select·idref="accounts-physical"·selected="false"/> |
| 371 | ····<select·idref="screen_locking"·selected="false"/> | 371 | ····<select·idref="screen_locking"·selected="false"/> |
| Offset 377, 21 lines modified | Offset 377, 21 lines modified | ||
| 377 | ····<select·idref="accounts-session"·selected="false"/> | 377 | ····<select·idref="accounts-session"·selected="false"/> |
| 378 | ····<select·idref="user_umask"·selected="false"/> | 378 | ····<select·idref="user_umask"·selected="false"/> |
| 379 | ····<select·idref="root_paths"·selected="false"/> | 379 | ····<select·idref="root_paths"·selected="false"/> |
| 380 | ····<select·idref="permissions"·selected="false"/> | 380 | ····<select·idref="permissions"·selected="false"/> |
| 381 | ····<select·idref="files"·selected="false"/> | 381 | ····<select·idref="files"·selected="false"/> |
| 382 | ····<select·idref="permissions_important_account_files"·selected="false"/> | 382 | ····<select·idref="permissions_important_account_files"·selected="false"/> |
| 383 | ····<select·idref="permissions_within_important_dirs"·selected="false"/> | 383 | ····<select·idref="permissions_within_important_dirs"·selected="false"/> |
| 384 | ····<select·idref="mounting"·selected="false"/> | ||
| 385 | ····<select·idref="restrictions"·selected="false"/> | 384 | ····<select·idref="restrictions"·selected="false"/> |
| 386 | ····<select·idref="daemon_umask"·selected="false"/> | 385 | ····<select·idref="daemon_umask"·selected="false"/> |
| 387 | ····<select·idref="coredumps"·selected="false"/> | ||
| 388 | ····<select·idref="enable_nx"·selected="false"/> | 386 | ····<select·idref="enable_nx"·selected="false"/> |
| 387 | ····<select·idref="coredumps"·selected="false"/> | ||
| 389 | ····<select·idref="enable_execshield_settings"·selected="false"/> | 388 | ····<select·idref="enable_execshield_settings"·selected="false"/> |
| 390 | ····<select·idref="partitions"·selected="false"/> | 389 | ····<select·idref="partitions"·selected="false"/> |
| 390 | ····<select·idref="mounting"·selected="false"/> | ||
| 391 | ····<select·idref="auditing"·selected="false"/> | 391 | ····<select·idref="auditing"·selected="false"/> |
| 392 | ····<select·idref="configure_auditd_data_retention"·selected="false"/> | 392 | ····<select·idref="configure_auditd_data_retention"·selected="false"/> |
| 393 | ····<select·idref="auditd_configure_rules"·selected="false"/> | 393 | ····<select·idref="auditd_configure_rules"·selected="false"/> |
| 394 | ····<select·idref="audit_kernel_module_loading"·selected="false"/> | 394 | ····<select·idref="audit_kernel_module_loading"·selected="false"/> |
| 395 | ····<select·idref="audit_login_events"·selected="false"/> | 395 | ····<select·idref="audit_login_events"·selected="false"/> |
| 396 | ····<select·idref="audit_time_rules"·selected="false"/> | 396 | ····<select·idref="audit_time_rules"·selected="false"/> |
| 397 | ····<select·idref="audit_dac_actions"·selected="false"/> | 397 | ····<select·idref="audit_dac_actions"·selected="false"/> |
| Offset 420, 467 lines modified | Offset 420, 145 lines modified | ||
| 420 | ····<select·idref="gnome_login_screen"·selected="false"/> | 420 | ····<select·idref="gnome_login_screen"·selected="false"/> |
| 421 | ····<select·idref="gnome_network_settings"·selected="false"/> | 421 | ····<select·idref="gnome_network_settings"·selected="false"/> |
| 422 | ····<select·idref="gnome_remote_access_settings"·selected="false"/> | 422 | ····<select·idref="gnome_remote_access_settings"·selected="false"/> |
| 423 | ··</Profile> | 423 | ··</Profile> |
| 424 | ··<Group·id="remediation_functions"> | 424 | ··<Group·id="remediation_functions"> |
| 425 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> | 425 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> |
| 426 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> | 426 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> |
| 427 | ····<Value·hidden="true"·id="function_fi | 427 | ····<Value·hidden="true"·id="function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> |
| 428 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fi | 428 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_watch_rule</title> |
| 429 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | ||
| 430 | ······<value>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the | ||
| 431 | #·preference·if·it·does·not·exist. | ||
| 432 | # | ||
| 433 | #·Expects·three·arguments: | ||
| Max diff block lines reached; 329832/341173 bytes (96.68%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:55</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>CentOS·6</ns0:title> | 12 | ········<ns0:title>CentOS·6</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> | 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> |
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> | 26 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> |
| 27 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> | 27 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> |
| 28 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> | 28 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> |
| 29 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> | 29 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> |
| 30 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> | 30 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> |
| 31 | ····</ds:checks> | 31 | ····</ds:checks> |
| 32 | ··</ds:data-stream> | 32 | ··</ds:data-stream> |
| 33 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="202 | 33 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-04-28T11:48:20"> |
| 34 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns0:generator> | 35 | ······<ns0:generator> |
| 36 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 36 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 37 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 37 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 38 | ········<ns2:schema_version>5.11</ns2:schema_version> | 38 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 39 | ········<ns2:timestamp>202 | 39 | ········<ns2:timestamp>2020-04-27T21:33:55</ns2:timestamp> |
| 40 | ······</ns0:generator> | 40 | ······</ns0:generator> |
| 41 | ······<ns0:definitions> | 41 | ······<ns0:definitions> |
| 42 | ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> | 42 | ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> |
| 43 | ··········<ns0:metadata> | 43 | ··········<ns0:metadata> |
| 44 | ············<ns0:title>Set·Password·dcredit·Requirements</ns0:title> | 44 | ············<ns0:title>Set·Password·dcredit·Requirements</ns0:title> |
| 45 | ············<ns0:affected·family="unix"> | 45 | ············<ns0:affected·family="unix"> |
| 46 | ··············<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform> | 46 | ··············<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform> |
| Offset 27893, 35 lines modified | Offset 27893, 35 lines modified | ||
| 27893 | ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 27893 | ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 27894 | ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 27894 | ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 27895 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 27895 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 27896 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 27896 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 27897 | ······</ns0:variables> | 27897 | ······</ns0:variables> |
| 27898 | ····</ns0:oval_definitions> | 27898 | ····</ns0:oval_definitions> |
| 27899 | ··</ds:component> | 27899 | ··</ds:component> |
| 27900 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="202 | 27900 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-04-28T11:48:20"> |
| 27901 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 27901 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 27902 | ······<ns0:generator> | 27902 | ······<ns0:generator> |
| 27903 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 27903 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 27904 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 27904 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 27905 | ········<ns0:schema_version>2.0</ns0:schema_version> | 27905 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 27906 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 27906 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 27907 | ······</ns0:generator> | 27907 | ······</ns0:generator> |
| 27908 | ······<ns0:questionnaires> | 27908 | ······<ns0:questionnaires> |
| 27909 | ········<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> | ||
| 27910 | ··········<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title> | ||
| 27911 | ··········<ns0:actions> | ||
| 27912 | ············<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref> | ||
| 27913 | ··········</ns0:actions> | ||
| 27914 | ········</ns0:questionnaire> | ||
| 27915 | ········<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> | 27909 | ········<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> |
| 27916 | ··········<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title> | 27910 | ··········<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title> |
| 27917 | ··········<ns0:actions> | 27911 | ··········<ns0:actions> |
| 27918 | ············<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref> | 27912 | ············<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref> |
| 27919 | ··········</ns0:actions> | 27913 | ··········</ns0:actions> |
| 27920 | ········</ns0:questionnaire> | 27914 | ········</ns0:questionnaire> |
| 27915 | ········<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> | ||
| 27916 | ··········<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title> | ||
| 27917 | ··········<ns0:actions> | ||
| 27918 | ············<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref> | ||
| 27919 | ··········</ns0:actions> | ||
| 27920 | ········</ns0:questionnaire> | ||
| 27921 | ········<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> | 27921 | ········<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> |
| 27922 | ··········<ns0:title>Disable·vsftpd·Service</ns0:title> | 27922 | ··········<ns0:title>Disable·vsftpd·Service</ns0:title> |
| 27923 | ··········<ns0:actions> | 27923 | ··········<ns0:actions> |
| 27924 | ············<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref> | 27924 | ············<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref> |
| 27925 | ··········</ns0:actions> | 27925 | ··········</ns0:actions> |
| 27926 | ········</ns0:questionnaire> | 27926 | ········</ns0:questionnaire> |
| 27927 | ········<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> | 27927 | ········<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> |
| Offset 27968, 32 lines modified | Offset 27968, 14 lines modified | ||
| 27968 | ········</ns0:questionnaire> | 27968 | ········</ns0:questionnaire> |
| 27969 | ········<ns0:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1"> | 27969 | ········<ns0:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1"> |
| 27970 | ··········<ns0:title>Enable·the·SSSD·Service</ns0:title> | 27970 | ··········<ns0:title>Enable·the·SSSD·Service</ns0:title> |
| 27971 | ··········<ns0:actions> | 27971 | ··········<ns0:actions> |
| 27972 | ············<ns0:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns0:test_action_ref> | 27972 | ············<ns0:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns0:test_action_ref> |
| 27973 | ··········</ns0:actions> | 27973 | ··········</ns0:actions> |
| 27974 | ········</ns0:questionnaire> | 27974 | ········</ns0:questionnaire> |
| 27975 | ········<ns0:questionnaire·id="ocil:ssg-sysconfig_networking_bootproto_ifcfg_ocil:questionnaire:1"> | ||
| 27976 | ··········<ns0:title>Disable·DHCP·Client</ns0:title> | ||
| 27977 | ··········<ns0:actions> | ||
| 27978 | ············<ns0:test_action_ref>ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1</ns0:test_action_ref> | ||
| 27979 | ··········</ns0:actions> | ||
| 27980 | ········</ns0:questionnaire> | ||
| 27981 | ········<ns0:questionnaire·id="ocil:ssg-package_dhcp_removed_ocil:questionnaire:1"> | ||
| 27982 | ··········<ns0:title>Uninstall·DHCP·Server·Package</ns0:title> | ||
| 27983 | ··········<ns0:actions> | ||
| 27984 | ············<ns0:test_action_ref>ocil:ssg-package_dhcp_removed_action:testaction:1</ns0:test_action_ref> | ||
| 27985 | ··········</ns0:actions> | ||
| 27986 | ········</ns0:questionnaire> | ||
| 27987 | ········<ns0:questionnaire·id="ocil:ssg-service_dhcpd_disabled_ocil:questionnaire:1"> | ||
| 27988 | ··········<ns0:title>Disable·DHCP·Service</ns0:title> | ||
| 27989 | ··········<ns0:actions> | ||
| 27990 | ············<ns0:test_action_ref>ocil:ssg-service_dhcpd_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 27991 | ··········</ns0:actions> | ||
| 27992 | ········</ns0:questionnaire> | ||
| 27993 | ········<ns0:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"> | 27975 | ········<ns0:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"> |
| 27994 | ··········<ns0:title>Enable·the·NTP·Daemon</ns0:title> | 27976 | ··········<ns0:title>Enable·the·NTP·Daemon</ns0:title> |
| 27995 | ··········<ns0:actions> | 27977 | ··········<ns0:actions> |
| 27996 | ············<ns0:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns0:test_action_ref> | 27978 | ············<ns0:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns0:test_action_ref> |
| 27997 | ··········</ns0:actions> | 27979 | ··········</ns0:actions> |
| 27998 | ········</ns0:questionnaire> | 27980 | ········</ns0:questionnaire> |
| 27999 | ········<ns0:questionnaire·id="ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1"> | 27981 | ········<ns0:questionnaire·id="ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1"> |
| Offset 28028, 44 lines modified | Offset 28010, 14 lines modified | ||
| 28028 | ········</ns0:questionnaire> | 28010 | ········</ns0:questionnaire> |
| 28029 | ········<ns0:questionnaire·id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1"> | 28011 | ········<ns0:questionnaire·id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1"> |
| 28030 | ··········<ns0:title>Disable·snmpd·Service</ns0:title> | 28012 | ··········<ns0:title>Disable·snmpd·Service</ns0:title> |
| 28031 | ··········<ns0:actions> | 28013 | ··········<ns0:actions> |
| 28032 | ············<ns0:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ns0:test_action_ref> | 28014 | ············<ns0:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ns0:test_action_ref> |
| 28033 | ··········</ns0:actions> | 28015 | ··········</ns0:actions> |
| 28034 | ········</ns0:questionnaire> | 28016 | ········</ns0:questionnaire> |
| 28035 | ········<ns0:questionnaire·id="ocil:ssg-disable_anacron_ocil:questionnaire:1"> | ||
| 28036 | ··········<ns0:title>Disable·anacron·Service</ns0:title> | ||
| 28037 | ··········<ns0:actions> | ||
| 28038 | ············<ns0:test_action_ref>ocil:ssg-disable_anacron_action:testaction:1</ns0:test_action_ref> | ||
| 28039 | ··········</ns0:actions> | ||
| 28040 | ········</ns0:questionnaire> | ||
| 28041 | ········<ns0:questionnaire·id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1"> | ||
| 28042 | ··········<ns0:title>Enable·cron·Service</ns0:title> | ||
| 28043 | ··········<ns0:actions> | ||
| 28044 | ············<ns0:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ns0:test_action_ref> | ||
| 28045 | ··········</ns0:actions> | ||
| 28046 | ········</ns0:questionnaire> | ||
| 28047 | ········<ns0:questionnaire·id="ocil:ssg-service_atd_disabled_ocil:questionnaire:1"> | ||
| 28048 | ··········<ns0:title>Disable·At·Service·(atd)</ns0:title> | ||
| 28049 | ··········<ns0:actions> | ||
| 28050 | ············<ns0:test_action_ref>ocil:ssg-service_atd_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 28051 | ··········</ns0:actions> | ||
| 28052 | ········</ns0:questionnaire> | ||
| 28053 | ········<ns0:questionnaire·id="ocil:ssg-xwindows_runlevel_setting_ocil:questionnaire:1"> | ||
| 28054 | ··········<ns0:title>Disable·X·Windows·Startup·By·Setting·Runlevel</ns0:title> | ||
| 28055 | ··········<ns0:actions> | ||
| 28056 | ············<ns0:test_action_ref>ocil:ssg-xwindows_runlevel_setting_action:testaction:1</ns0:test_action_ref> | ||
| 28057 | ··········</ns0:actions> | ||
| Max diff block lines reached; 4748357/4757729 bytes (99.80%) of diff not shown. | |||
| Offset 3, 26 lines modified | Offset 3, 26 lines modified | ||
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 6 | ····<ns0:schema_version>2.0</ns0:schema_version> | 6 | ····<ns0:schema_version>2.0</ns0:schema_version> |
| 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:questionnaires> | 9 | ··<ns0:questionnaires> |
| 10 | ····<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> | ||
| 11 | ······<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title> | ||
| 12 | ······<ns0:actions> | ||
| 13 | ········<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref> | ||
| 14 | ······</ns0:actions> | ||
| 15 | ····</ns0:questionnaire> | ||
| 16 | ····<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> | 10 | ····<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> |
| 17 | ······<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title> | 11 | ······<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title> |
| 18 | ······<ns0:actions> | 12 | ······<ns0:actions> |
| 19 | ········<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref> | 13 | ········<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref> |
| 20 | ······</ns0:actions> | 14 | ······</ns0:actions> |
| 21 | ····</ns0:questionnaire> | 15 | ····</ns0:questionnaire> |
| 16 | ····<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> | ||
| 17 | ······<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title> | ||
| 18 | ······<ns0:actions> | ||
| 19 | ········<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref> | ||
| 20 | ······</ns0:actions> | ||
| 21 | ····</ns0:questionnaire> | ||
| 22 | ····<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> | 22 | ····<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> |
| 23 | ······<ns0:title>Disable·vsftpd·Service</ns0:title> | 23 | ······<ns0:title>Disable·vsftpd·Service</ns0:title> |
| 24 | ······<ns0:actions> | 24 | ······<ns0:actions> |
| 25 | ········<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref> | 25 | ········<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref> |
| 26 | ······</ns0:actions> | 26 | ······</ns0:actions> |
| 27 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 28 | ····<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> | 28 | ····<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> |
| Offset 69, 32 lines modified | Offset 69, 14 lines modified | ||
| 69 | ····</ns0:questionnaire> | 69 | ····</ns0:questionnaire> |
| 70 | ····<ns0:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1"> | 70 | ····<ns0:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1"> |
| 71 | ······<ns0:title>Enable·the·SSSD·Service</ns0:title> | 71 | ······<ns0:title>Enable·the·SSSD·Service</ns0:title> |
| 72 | ······<ns0:actions> | 72 | ······<ns0:actions> |
| 73 | ········<ns0:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns0:test_action_ref> | 73 | ········<ns0:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns0:test_action_ref> |
| 74 | ······</ns0:actions> | 74 | ······</ns0:actions> |
| 75 | ····</ns0:questionnaire> | 75 | ····</ns0:questionnaire> |
| 76 | ····<ns0:questionnaire·id="ocil:ssg-sysconfig_networking_bootproto_ifcfg_ocil:questionnaire:1"> | ||
| 77 | ······<ns0:title>Disable·DHCP·Client</ns0:title> | ||
| 78 | ······<ns0:actions> | ||
| 79 | ········<ns0:test_action_ref>ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1</ns0:test_action_ref> | ||
| 80 | ······</ns0:actions> | ||
| 81 | ····</ns0:questionnaire> | ||
| 82 | ····<ns0:questionnaire·id="ocil:ssg-package_dhcp_removed_ocil:questionnaire:1"> | ||
| 83 | ······<ns0:title>Uninstall·DHCP·Server·Package</ns0:title> | ||
| 84 | ······<ns0:actions> | ||
| 85 | ········<ns0:test_action_ref>ocil:ssg-package_dhcp_removed_action:testaction:1</ns0:test_action_ref> | ||
| 86 | ······</ns0:actions> | ||
| 87 | ····</ns0:questionnaire> | ||
| 88 | ····<ns0:questionnaire·id="ocil:ssg-service_dhcpd_disabled_ocil:questionnaire:1"> | ||
| 89 | ······<ns0:title>Disable·DHCP·Service</ns0:title> | ||
| 90 | ······<ns0:actions> | ||
| 91 | ········<ns0:test_action_ref>ocil:ssg-service_dhcpd_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 92 | ······</ns0:actions> | ||
| 93 | ····</ns0:questionnaire> | ||
| 94 | ····<ns0:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"> | 76 | ····<ns0:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"> |
| 95 | ······<ns0:title>Enable·the·NTP·Daemon</ns0:title> | 77 | ······<ns0:title>Enable·the·NTP·Daemon</ns0:title> |
| 96 | ······<ns0:actions> | 78 | ······<ns0:actions> |
| 97 | ········<ns0:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns0:test_action_ref> | 79 | ········<ns0:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns0:test_action_ref> |
| 98 | ······</ns0:actions> | 80 | ······</ns0:actions> |
| 99 | ····</ns0:questionnaire> | 81 | ····</ns0:questionnaire> |
| 100 | ····<ns0:questionnaire·id="ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1"> | 82 | ····<ns0:questionnaire·id="ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1"> |
| Offset 129, 44 lines modified | Offset 111, 14 lines modified | ||
| 129 | ····</ns0:questionnaire> | 111 | ····</ns0:questionnaire> |
| 130 | ····<ns0:questionnaire·id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1"> | 112 | ····<ns0:questionnaire·id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1"> |
| 131 | ······<ns0:title>Disable·snmpd·Service</ns0:title> | 113 | ······<ns0:title>Disable·snmpd·Service</ns0:title> |
| 132 | ······<ns0:actions> | 114 | ······<ns0:actions> |
| 133 | ········<ns0:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ns0:test_action_ref> | 115 | ········<ns0:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ns0:test_action_ref> |
| 134 | ······</ns0:actions> | 116 | ······</ns0:actions> |
| 135 | ····</ns0:questionnaire> | 117 | ····</ns0:questionnaire> |
| 136 | ····<ns0:questionnaire·id="ocil:ssg-disable_anacron_ocil:questionnaire:1"> | ||
| 137 | ······<ns0:title>Disable·anacron·Service</ns0:title> | ||
| 138 | ······<ns0:actions> | ||
| 139 | ········<ns0:test_action_ref>ocil:ssg-disable_anacron_action:testaction:1</ns0:test_action_ref> | ||
| 140 | ······</ns0:actions> | ||
| 141 | ····</ns0:questionnaire> | ||
| 142 | ····<ns0:questionnaire·id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1"> | ||
| 143 | ······<ns0:title>Enable·cron·Service</ns0:title> | ||
| 144 | ······<ns0:actions> | ||
| 145 | ········<ns0:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ns0:test_action_ref> | ||
| 146 | ······</ns0:actions> | ||
| 147 | ····</ns0:questionnaire> | ||
| 148 | ····<ns0:questionnaire·id="ocil:ssg-service_atd_disabled_ocil:questionnaire:1"> | ||
| 149 | ······<ns0:title>Disable·At·Service·(atd)</ns0:title> | ||
| 150 | ······<ns0:actions> | ||
| 151 | ········<ns0:test_action_ref>ocil:ssg-service_atd_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 152 | ······</ns0:actions> | ||
| 153 | ····</ns0:questionnaire> | ||
| 154 | ····<ns0:questionnaire·id="ocil:ssg-xwindows_runlevel_setting_ocil:questionnaire:1"> | ||
| 155 | ······<ns0:title>Disable·X·Windows·Startup·By·Setting·Runlevel</ns0:title> | ||
| 156 | ······<ns0:actions> | ||
| 157 | ········<ns0:test_action_ref>ocil:ssg-xwindows_runlevel_setting_action:testaction:1</ns0:test_action_ref> | ||
| 158 | ······</ns0:actions> | ||
| 159 | ····</ns0:questionnaire> | ||
| 160 | ····<ns0:questionnaire·id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1"> | ||
| 161 | ······<ns0:title>Remove·the·X·Windows·Package·Group</ns0:title> | ||
| 162 | ······<ns0:actions> | ||
| 163 | ········<ns0:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ns0:test_action_ref> | ||
| 164 | ······</ns0:actions> | ||
| 165 | ····</ns0:questionnaire> | ||
| 166 | ····<ns0:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1"> | 118 | ····<ns0:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1"> |
| 167 | ······<ns0:title>Uninstal·rsh·Package</ns0:title> | 119 | ······<ns0:title>Uninstal·rsh·Package</ns0:title> |
| 168 | ······<ns0:actions> | 120 | ······<ns0:actions> |
| 169 | ········<ns0:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns0:test_action_ref> | 121 | ········<ns0:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns0:test_action_ref> |
| 170 | ······</ns0:actions> | 122 | ······</ns0:actions> |
| 171 | ····</ns0:questionnaire> | 123 | ····</ns0:questionnaire> |
| 172 | ····<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> | 124 | ····<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> |
| Offset 243, 26 lines modified | Offset 195, 26 lines modified | ||
| 243 | ····</ns0:questionnaire> | 195 | ····</ns0:questionnaire> |
| 244 | ····<ns0:questionnaire·id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1"> | 196 | ····<ns0:questionnaire·id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1"> |
| 245 | ······<ns0:title>Disable·tftp·Service</ns0:title> | 197 | ······<ns0:title>Disable·tftp·Service</ns0:title> |
| 246 | ······<ns0:actions> | 198 | ······<ns0:actions> |
| 247 | ········<ns0:test_action_ref>ocil:ssg-service_tftp_disabled_action:testaction:1</ns0:test_action_ref> | 199 | ········<ns0:test_action_ref>ocil:ssg-service_tftp_disabled_action:testaction:1</ns0:test_action_ref> |
| 248 | ······</ns0:actions> | 200 | ······</ns0:actions> |
| 249 | ····</ns0:questionnaire> | 201 | ····</ns0:questionnaire> |
| 250 | ····<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> | ||
| 251 | ······<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title> | ||
| 252 | ······<ns0:actions> | ||
| 253 | ········<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref> | ||
| 254 | ······</ns0:actions> | ||
| 255 | ····</ns0:questionnaire> | ||
| 256 | ····<ns0:questionnaire·id="ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1"> | 202 | ····<ns0:questionnaire·id="ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1"> |
| 257 | ······<ns0:title>Uninstall·tftp-server·Package</ns0:title> | 203 | ······<ns0:title>Uninstall·tftp-server·Package</ns0:title> |
| 258 | ······<ns0:actions> | 204 | ······<ns0:actions> |
| Max diff block lines reached; 421879/428560 bytes (98.44%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:33:55</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Set·Password·dcredit·Requirements</ns0:title> | 12 | ········<ns0:title>Set·Password·dcredit·Requirements</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform> | 14 | ··········<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform> |
| Offset 380, 45 lines modified | Offset 380, 35 lines modified | ||
| 380 | ····<select·idref="httpd_configure_php_securely"·selected="false"/> | 380 | ····<select·idref="httpd_configure_php_securely"·selected="false"/> |
| 381 | ····<select·idref="httpd_minimize_loadable_modules"·selected="false"/> | 381 | ····<select·idref="httpd_minimize_loadable_modules"·selected="false"/> |
| 382 | ····<select·idref="httpd_core_modules"·selected="false"/> | 382 | ····<select·idref="httpd_core_modules"·selected="false"/> |
| 383 | ····<select·idref="httpd_basic_authentication"·selected="false"/> | 383 | ····<select·idref="httpd_basic_authentication"·selected="false"/> |
| 384 | ····<select·idref="httpd_minimize_config_files_included"·selected="false"/> | 384 | ····<select·idref="httpd_minimize_config_files_included"·selected="false"/> |
| 385 | ····<select·idref="httpd_optional_components"·selected="false"/> | 385 | ····<select·idref="httpd_optional_components"·selected="false"/> |
| 386 | ····<select·idref="sssd"·selected="false"/> | 386 | ····<select·idref="sssd"·selected="false"/> |
| 387 | ····<select·idref="dhcp_server_configuration"·selected="false"/> | ||
| 388 | ····<select·idref="disabling_dhcp_server"·selected="false"/> | ||
| 389 | ····<select·idref="dhcp_client_configuration"·selected="false"/> | ||
| 390 | ····<select·idref="printing"·selected="false"/> | 387 | ····<select·idref="printing"·selected="false"/> |
| 391 | ····<select·idref="configure_printing"·selected="false"/> | 388 | ····<select·idref="configure_printing"·selected="false"/> |
| 392 | ····<select·idref="snmp"·selected="false"/> | 389 | ····<select·idref="snmp"·selected="false"/> |
| 393 | ····<select·idref="snmp_configure_server"·selected="false"/> | 390 | ····<select·idref="snmp_configure_server"·selected="false"/> |
| 394 | ····<select·idref="disabling_snmp_service"·selected="false"/> | 391 | ····<select·idref="disabling_snmp_service"·selected="false"/> |
| 395 | ····<select·idref="restrict_at_cron_users"·selected="false"/> | ||
| 396 | ····<select·idref="talk"·selected="false"/> | 392 | ····<select·idref="talk"·selected="false"/> |
| 397 | ····<select·idref=" | 393 | ····<select·idref="ldap_server_config_certificate_files"·selected="false"/> |
| 398 | ····<select·idref=" | 394 | ····<select·idref="restrict_at_cron_users"·selected="false"/> |
| 399 | ····<select·idref=" | 395 | ····<select·idref="proxy"·selected="false"/> |
| 400 | ····<select·idref=" | 396 | ····<select·idref="disabling_squid"·selected="false"/> |
| 401 | ····<select·idref="disabling_nfs"·selected="false"/> | ||
| 402 | ····<select·idref="disabling_nfs_services"·selected="false"/> | ||
| 403 | ····<select·idref="disabling_netfs"·selected="false"/> | ||
| 404 | ····<select·idref="nfs_configuring_all_machines"·selected="false"/> | ||
| 405 | ····<select·idref="nfs_configure_fixed_ports"·selected="false"/> | ||
| 406 | ····<select·idref="nfs_client_or_server_not_both"·selected="false"/> | ||
| 407 | ····<select·idref="disabling_nfsd"·selected="false"/> | ||
| 408 | ····<select·idref="sshd_strengthen_firewall"·selected="false"/> | ||
| 409 | ····<select·idref="dns"·selected="false"/> | 397 | ····<select·idref="dns"·selected="false"/> |
| 410 | ····<select·idref="dns_server_protection"·selected="false"/> | ||
| 411 | ····<select·idref="dns_server_separate_internal_external"·selected="false"/> | ||
| 412 | ····<select·idref="dns_server_partition_with_views"·selected="false"/> | ||
| 413 | ····<select·idref="dns_server_isolation"·selected="false"/> | 398 | ····<select·idref="dns_server_isolation"·selected="false"/> |
| 414 | ····<select·idref="dns_server_chroot"·selected="false"/> | 399 | ····<select·idref="dns_server_chroot"·selected="false"/> |
| 415 | ····<select·idref="dns_server_dedicated"·selected="false"/> | 400 | ····<select·idref="dns_server_dedicated"·selected="false"/> |
| 401 | ····<select·idref="dns_server_protection"·selected="false"/> | ||
| 402 | ····<select·idref="dns_server_separate_internal_external"·selected="false"/> | ||
| 403 | ····<select·idref="dns_server_partition_with_views"·selected="false"/> | ||
| 416 | ····<select·idref="disabling_dns_server"·selected="false"/> | 404 | ····<select·idref="disabling_dns_server"·selected="false"/> |
| 417 | ····<select·idref=" | 405 | ····<select·idref="dhcp_server_configuration"·selected="false"/> |
| 406 | ····<select·idref="disabling_dhcp_server"·selected="false"/> | ||
| 407 | ····<select·idref="dhcp_client_configuration"·selected="false"/> | ||
| 418 | ····<select·idref="postfix_harden_os"·selected="false"/> | 408 | ····<select·idref="postfix_harden_os"·selected="false"/> |
| 419 | ····<select·idref="postfix_configure_ssl_certs"·selected="false"/> | 409 | ····<select·idref="postfix_configure_ssl_certs"·selected="false"/> |
| 420 | ····<select·idref="postfix_install_ssl_cert"·selected="false"/> | 410 | ····<select·idref="postfix_install_ssl_cert"·selected="false"/> |
| 421 | ····<select·idref="postfix_server_configuration"·selected="false"/> | 411 | ····<select·idref="postfix_server_configuration"·selected="false"/> |
| 422 | ····<select·idref="postfix_server_mail_relay"·selected="false"/> | 412 | ····<select·idref="postfix_server_mail_relay"·selected="false"/> |
| 423 | ····<select·idref="postfix_server_mail_relay_require_tls_for_smtp_auth"·selected="false"/> | 413 | ····<select·idref="postfix_server_mail_relay_require_tls_for_smtp_auth"·selected="false"/> |
| 424 | ····<select·idref="postfix_server_mail_relay_set_trusted_networks"·selected="false"/> | 414 | ····<select·idref="postfix_server_mail_relay_set_trusted_networks"·selected="false"/> |
| Offset 432, 25 lines modified | Offset 422, 26 lines modified | ||
| 432 | ····<select·idref="dovecot_enabling_ssl"·selected="false"/> | 422 | ····<select·idref="dovecot_enabling_ssl"·selected="false"/> |
| 433 | ····<select·idref="dovecot_allow_imap_access"·selected="false"/> | 423 | ····<select·idref="dovecot_allow_imap_access"·selected="false"/> |
| 434 | ····<select·idref="dovecot_support_necessary_protocols"·selected="false"/> | 424 | ····<select·idref="dovecot_support_necessary_protocols"·selected="false"/> |
| 435 | ····<select·idref="disabling_dovecot"·selected="false"/> | 425 | ····<select·idref="disabling_dovecot"·selected="false"/> |
| 436 | ····<select·idref="disabling_samba"·selected="false"/> | 426 | ····<select·idref="disabling_samba"·selected="false"/> |
| 437 | ····<select·idref="smb_disable_printing"·selected="false"/> | 427 | ····<select·idref="smb_disable_printing"·selected="false"/> |
| 438 | ····<select·idref="smb_restrict_file_sharing"·selected="false"/> | 428 | ····<select·idref="smb_restrict_file_sharing"·selected="false"/> |
| 439 | ····<select·idref=" | 429 | ····<select·idref="nfs_configuring_servers"·selected="false"/> |
| 440 | ····<select·idref=" | 430 | ····<select·idref="export_filesystems_read_only"·selected="false"/> |
| 441 | ····<select·idref=" | 431 | ····<select·idref="configure_exports_restrictively"·selected="false"/> |
| 442 | ····<select·idref=" | 432 | ····<select·idref="use_acl_enforce_auth_restrictions"·selected="false"/> |
| 443 | ····<select·idref=" | 433 | ····<select·idref="disabling_nfs"·selected="false"/> |
| 444 | ····<select·idref="fi | 434 | ····<select·idref="disabling_nfs_services"·selected="false"/> |
| 445 | ····<select·idref=" | 435 | ····<select·idref="disabling_netfs"·selected="false"/> |
| 446 | ····<select·idref=" | 436 | ····<select·idref="nfs_configuring_all_machines"·selected="false"/> |
| 447 | ····<select·idref=" | 437 | ····<select·idref="nfs_configure_fixed_ports"·selected="false"/> |
| 448 | ····<select·idref=" | 438 | ····<select·idref="nfs_client_or_server_not_both"·selected="false"/> |
| 449 | ····<select·idref=" | 439 | ····<select·idref="disabling_nfsd"·selected="false"/> |
| 440 | ····<select·idref="sshd_strengthen_firewall"·selected="false"/> | ||
| 450 | ····<select·idref="configure_logwatch_on_logserver"·selected="false"/> | 441 | ····<select·idref="configure_logwatch_on_logserver"·selected="false"/> |
| 451 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 442 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 452 | ····<select·idref="network-ipsec"·selected="false"/> | 443 | ····<select·idref="network-ipsec"·selected="false"/> |
| 453 | ····<select·idref="iptables_icmp_disabled"·selected="false"/> | 444 | ····<select·idref="iptables_icmp_disabled"·selected="false"/> |
| 454 | ····<select·idref="iptables_log_and_drop_suspicious"·selected="false"/> | 445 | ····<select·idref="iptables_log_and_drop_suspicious"·selected="false"/> |
| 455 | ····<select·idref="network_ipv6_limit_requests"·selected="false"/> | 446 | ····<select·idref="network_ipv6_limit_requests"·selected="false"/> |
| 456 | ····<select·idref="disabling_ipv6"·selected="false"/> | 447 | ····<select·idref="disabling_ipv6"·selected="false"/> |
| Offset 458, 16 lines modified | Offset 449, 25 lines modified | ||
| 458 | ····<select·idref="network_disable_unused_interfaces"·selected="false"/> | 449 | ····<select·idref="network_disable_unused_interfaces"·selected="false"/> |
| 459 | ····<select·idref="account_expiration"·selected="false"/> | 450 | ····<select·idref="account_expiration"·selected="false"/> |
| 460 | ····<select·idref="smart_card_login"·selected="false"/> | 451 | ····<select·idref="smart_card_login"·selected="false"/> |
| 461 | ····<select·idref="gui_login_banner"·selected="false"/> | 452 | ····<select·idref="gui_login_banner"·selected="false"/> |
| 462 | ····<select·idref="user_umask"·selected="false"/> | 453 | ····<select·idref="user_umask"·selected="false"/> |
| 463 | ····<select·idref="entropy"·selected="false"/> | 454 | ····<select·idref="entropy"·selected="false"/> |
| 464 | ····<select·idref="daemon_umask"·selected="false"/> | 455 | ····<select·idref="daemon_umask"·selected="false"/> |
| 465 | ····<select·idref="coredumps"·selected="false"/> | ||
| 466 | ····<select·idref="enable_nx"·selected="false"/> | 456 | ····<select·idref="enable_nx"·selected="false"/> |
| 457 | ····<select·idref="coredumps"·selected="false"/> | ||
| 458 | ····<select·idref="sudo"·selected="false"/> | ||
| 459 | ····<select·idref="fips"·selected="false"/> | ||
| 460 | ····<select·idref="certified-vendor"·selected="false"/> | ||
| 461 | ····<select·idref="additional_security_software"·selected="false"/> | ||
| 462 | ····<select·idref="gnome_media_settings"·selected="false"/> | ||
| 463 | ····<select·idref="gnome_system_settings"·selected="false"/> | ||
| 464 | ····<select·idref="gnome_login_screen"·selected="false"/> | ||
| 465 | ····<select·idref="gnome_network_settings"·selected="false"/> | ||
| 466 | ····<select·idref="gnome_remote_access_settings"·selected="false"/> | ||
| 467 | ····<refine-value·idref="inactivity_timeout_value"·selector="15_minutes"/> | 467 | ····<refine-value·idref="inactivity_timeout_value"·selector="15_minutes"/> |
| 468 | ····<refine-value·idref="var_accounts_tmout"·selector="10_min"/> | 468 | ····<refine-value·idref="var_accounts_tmout"·selector="10_min"/> |
| 469 | ····<refine-value·idref="var_umask_for_daemons"·selector="027"/> | 469 | ····<refine-value·idref="var_umask_for_daemons"·selector="027"/> |
| 470 | ····<refine-value·idref="var_accounts_password_minlen_login_defs"·selector="15"/> | 470 | ····<refine-value·idref="var_accounts_password_minlen_login_defs"·selector="15"/> |
| 471 | ····<refine-value·idref="var_accounts_maximum_age_login_defs"·selector="90"/> | 471 | ····<refine-value·idref="var_accounts_maximum_age_login_defs"·selector="90"/> |
| 472 | ····<refine-value·idref="var_accounts_minimum_age_login_defs"·selector="7"/> | 472 | ····<refine-value·idref="var_accounts_minimum_age_login_defs"·selector="7"/> |
| 473 | ····<refine-value·idref="var_accounts_password_warn_age_login_defs"·selector="7"/> | 473 | ····<refine-value·idref="var_accounts_password_warn_age_login_defs"·selector="7"/> |
| Offset 498, 454 lines modified | Offset 498, 126 lines modified | ||
| 498 | ····<refine-value·idref="sysctl_net_ipv4_tcp_syncookies_value"·selector="enabled"/> | 498 | ····<refine-value·idref="sysctl_net_ipv4_tcp_syncookies_value"·selector="enabled"/> |
| 499 | ····<refine-value·idref="sysctl_net_ipv4_conf_all_rp_filter_value"·selector="enabled"/> | 499 | ····<refine-value·idref="sysctl_net_ipv4_conf_all_rp_filter_value"·selector="enabled"/> |
| 500 | ····<refine-value·idref="sysctl_net_ipv4_conf_default_rp_filter_value"·selector="enabled"/> | 500 | ····<refine-value·idref="sysctl_net_ipv4_conf_default_rp_filter_value"·selector="enabled"/> |
| 501 | ····<refine-value·idref="file_owner_logfiles_value"·selector="root"/> | 501 | ····<refine-value·idref="file_owner_logfiles_value"·selector="root"/> |
| 502 | ····<refine-value·idref="file_groupowner_logfiles_value"·selector="root"/> | 502 | ····<refine-value·idref="file_groupowner_logfiles_value"·selector="root"/> |
| 503 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 503 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 504 | ··</Profile> | 504 | ··</Profile> |
| 505 | ··<Profile·id=" | 505 | ··<Profile·id="standard"> |
| 506 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml"> | 506 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</title> |
| 507 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile· | 507 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·rules·to·ensure·standard·security·baseline |
| 508 | 508 | of·a·Red·Hat·Enterprise·Linux·6·system.·Regardless·of·your·system's·workload | |
| 509 | all·of·these·checks·should·pass.</description> | ||
| 509 | This·baseline·was·inspired·by·the·Center·for·Internet·Security | ||
| 510 | (CIS)·Red·Hat·Enterprise·Linux·6·Benchmark,·v1.2.0·-·06-25-2013. | ||
| 511 | For·the·SCAP·Security·Guide·project·to·remain·in·compliance·with | ||
| 512 | CIS'·terms·and·conditions,·specifically·Restrictions(8),·note· | ||
| 513 | there·is·no·representation·or·claim·that·the·C2S·profile·will | ||
| 514 | ensure·a·system·is·in·compliance·or·consistency·with·the·CIS | ||
| 515 | baseline.</description> | ||
| 516 | ····<select·idref="partition_for_tmp"·selected="true"/> | 510 | ····<select·idref="partition_for_tmp"·selected="true"/> |
| 517 | ····<select·idref="mount_option_tmp_nodev"·selected="true"/> | ||
| 518 | ····<select·idref="mount_option_tmp_nosuid"·selected="true"/> | ||
| Max diff block lines reached; 2814806/2824402 bytes (99.66%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:35:18</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>CentOS·6</ns0:title> | 12 | ········<ns0:title>CentOS·6</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> | 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> |
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> | 26 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> |
| 27 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> | 27 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> |
| 28 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> | 28 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> |
| 29 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> | 29 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> |
| 30 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> | 30 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> |
| 31 | ····</ds:checks> | 31 | ····</ds:checks> |
| 32 | ··</ds:data-stream> | 32 | ··</ds:data-stream> |
| 33 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="202 | 33 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-04-28T11:48:50"> |
| 34 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns0:generator> | 35 | ······<ns0:generator> |
| 36 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 36 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 37 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 37 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 38 | ········<ns2:schema_version>5.11</ns2:schema_version> | 38 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 39 | ········<ns2:timestamp>202 | 39 | ········<ns2:timestamp>2020-04-27T21:35:18</ns2:timestamp> |
| 40 | ······</ns0:generator> | 40 | ······</ns0:generator> |
| 41 | ······<ns0:definitions> | 41 | ······<ns0:definitions> |
| 42 | ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> | 42 | ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> |
| 43 | ··········<ns0:metadata> | 43 | ··········<ns0:metadata> |
| 44 | ············<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title> | 44 | ············<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title> |
| 45 | ············<ns0:affected·family="unix"> | 45 | ············<ns0:affected·family="unix"> |
| 46 | ··············<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform> | 46 | ··············<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform> |
| Offset 31871, 15 lines modified | Offset 31871, 15 lines modified | ||
| 31871 | ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 31871 | ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 31872 | ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 31872 | ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 31873 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 31873 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 31874 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 31874 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 31875 | ······</ns0:variables> | 31875 | ······</ns0:variables> |
| 31876 | ····</ns0:oval_definitions> | 31876 | ····</ns0:oval_definitions> |
| 31877 | ··</ds:component> | 31877 | ··</ds:component> |
| 31878 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="202 | 31878 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-04-28T11:48:50"> |
| 31879 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 31879 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 31880 | ······<ns0:generator> | 31880 | ······<ns0:generator> |
| 31881 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 31881 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 31882 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 31882 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 31883 | ········<ns0:schema_version>2.0</ns0:schema_version> | 31883 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 31884 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 31884 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 31885 | ······</ns0:generator> | 31885 | ······</ns0:generator> |
| Offset 31892, 36 lines modified | Offset 31892, 36 lines modified | ||
| 31892 | ········</ns0:questionnaire> | 31892 | ········</ns0:questionnaire> |
| 31893 | ········<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> | 31893 | ········<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> |
| 31894 | ··········<ns0:title>Disable·rlogin·Service</ns0:title> | 31894 | ··········<ns0:title>Disable·rlogin·Service</ns0:title> |
| 31895 | ··········<ns0:actions> | 31895 | ··········<ns0:actions> |
| 31896 | ············<ns0:test_action_ref>ocil:ssg-service_rlogin_disabled_action:testaction:1</ns0:test_action_ref> | 31896 | ············<ns0:test_action_ref>ocil:ssg-service_rlogin_disabled_action:testaction:1</ns0:test_action_ref> |
| 31897 | ··········</ns0:actions> | 31897 | ··········</ns0:actions> |
| 31898 | ········</ns0:questionnaire> | 31898 | ········</ns0:questionnaire> |
| 31899 | ········<ns0:questionnaire·id="ocil:ssg-ser | 31899 | ········<ns0:questionnaire·id="ocil:ssg-no_user_host_based_files_ocil:questionnaire:1"> |
| 31900 | ··········<ns0:title> | 31900 | ··········<ns0:title>Remove·User·Host-Based·Authentication·Files</ns0:title> |
| 31901 | ··········<ns0:actions> | 31901 | ··········<ns0:actions> |
| 31902 | ············<ns0:test_action_ref>ocil:ssg-ser | 31902 | ············<ns0:test_action_ref>ocil:ssg-no_user_host_based_files_action:testaction:1</ns0:test_action_ref> |
| 31903 | ··········</ns0:actions> | 31903 | ··········</ns0:actions> |
| 31904 | ········</ns0:questionnaire> | 31904 | ········</ns0:questionnaire> |
| 31905 | ········<ns0:questionnaire·id="ocil:ssg-no_host_based_files_ocil:questionnaire:1"> | 31905 | ········<ns0:questionnaire·id="ocil:ssg-no_host_based_files_ocil:questionnaire:1"> |
| 31906 | ··········<ns0:title>Remove·Host-Based·Authentication·Files</ns0:title> | 31906 | ··········<ns0:title>Remove·Host-Based·Authentication·Files</ns0:title> |
| 31907 | ··········<ns0:actions> | 31907 | ··········<ns0:actions> |
| 31908 | ············<ns0:test_action_ref>ocil:ssg-no_host_based_files_action:testaction:1</ns0:test_action_ref> | 31908 | ············<ns0:test_action_ref>ocil:ssg-no_host_based_files_action:testaction:1</ns0:test_action_ref> |
| 31909 | ··········</ns0:actions> | 31909 | ··········</ns0:actions> |
| 31910 | ········</ns0:questionnaire> | 31910 | ········</ns0:questionnaire> |
| 31911 | ········<ns0:questionnaire·id="ocil:ssg-service_rsh_disabled_ocil:questionnaire:1"> | 31911 | ········<ns0:questionnaire·id="ocil:ssg-service_rsh_disabled_ocil:questionnaire:1"> |
| 31912 | ··········<ns0:title>Disable·rsh·Service</ns0:title> | 31912 | ··········<ns0:title>Disable·rsh·Service</ns0:title> |
| 31913 | ··········<ns0:actions> | 31913 | ··········<ns0:actions> |
| 31914 | ············<ns0:test_action_ref>ocil:ssg-service_rsh_disabled_action:testaction:1</ns0:test_action_ref> | 31914 | ············<ns0:test_action_ref>ocil:ssg-service_rsh_disabled_action:testaction:1</ns0:test_action_ref> |
| 31915 | ··········</ns0:actions> | 31915 | ··········</ns0:actions> |
| 31916 | ········</ns0:questionnaire> | 31916 | ········</ns0:questionnaire> |
| 31917 | ········<ns0:questionnaire·id="ocil:ssg- | 31917 | ········<ns0:questionnaire·id="ocil:ssg-service_rexec_disabled_ocil:questionnaire:1"> |
| 31918 | ··········<ns0:title> | 31918 | ··········<ns0:title>Disable·rexec·Service</ns0:title> |
| 31919 | ··········<ns0:actions> | 31919 | ··········<ns0:actions> |
| 31920 | ············<ns0:test_action_ref>ocil:ssg- | 31920 | ············<ns0:test_action_ref>ocil:ssg-service_rexec_disabled_action:testaction:1</ns0:test_action_ref> |
| 31921 | ··········</ns0:actions> | 31921 | ··········</ns0:actions> |
| 31922 | ········</ns0:questionnaire> | 31922 | ········</ns0:questionnaire> |
| 31923 | ········<ns0:questionnaire·id="ocil:ssg-package_rsh-server_removed_ocil:questionnaire:1"> | 31923 | ········<ns0:questionnaire·id="ocil:ssg-package_rsh-server_removed_ocil:questionnaire:1"> |
| 31924 | ··········<ns0:title>Uninstall·rsh-server·Package</ns0:title> | 31924 | ··········<ns0:title>Uninstall·rsh-server·Package</ns0:title> |
| 31925 | ··········<ns0:actions> | 31925 | ··········<ns0:actions> |
| 31926 | ············<ns0:test_action_ref>ocil:ssg-package_rsh-server_removed_action:testaction:1</ns0:test_action_ref> | 31926 | ············<ns0:test_action_ref>ocil:ssg-package_rsh-server_removed_action:testaction:1</ns0:test_action_ref> |
| 31927 | ··········</ns0:actions> | 31927 | ··········</ns0:actions> |
| Offset 31976, 38 lines modified | Offset 31976, 38 lines modified | ||
| 31976 | ········</ns0:questionnaire> | 31976 | ········</ns0:questionnaire> |
| 31977 | ········<ns0:questionnaire·id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1"> | 31977 | ········<ns0:questionnaire·id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1"> |
| 31978 | ··········<ns0:title>Disable·tftp·Service</ns0:title> | 31978 | ··········<ns0:title>Disable·tftp·Service</ns0:title> |
| 31979 | ··········<ns0:actions> | 31979 | ··········<ns0:actions> |
| 31980 | ············<ns0:test_action_ref>ocil:ssg-service_tftp_disabled_action:testaction:1</ns0:test_action_ref> | 31980 | ············<ns0:test_action_ref>ocil:ssg-service_tftp_disabled_action:testaction:1</ns0:test_action_ref> |
| 31981 | ··········</ns0:actions> | 31981 | ··········</ns0:actions> |
| 31982 | ········</ns0:questionnaire> | 31982 | ········</ns0:questionnaire> |
| 31983 | ········<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> | ||
| 31984 | ··········<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title> | ||
| 31985 | ··········<ns0:actions> | ||
| 31986 | ············<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref> | ||
| 31987 | ··········</ns0:actions> | ||
| 31988 | ········</ns0:questionnaire> | ||
| 31989 | ········<ns0:questionnaire·id="ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1"> | 31983 | ········<ns0:questionnaire·id="ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1"> |
| 31990 | ··········<ns0:title>Uninstall·tftp-server·Package</ns0:title> | 31984 | ··········<ns0:title>Uninstall·tftp-server·Package</ns0:title> |
| 31991 | ··········<ns0:actions> | 31985 | ··········<ns0:actions> |
| 31992 | ············<ns0:test_action_ref>ocil:ssg-package_tftp-server_removed_action:testaction:1</ns0:test_action_ref> | 31986 | ············<ns0:test_action_ref>ocil:ssg-package_tftp-server_removed_action:testaction:1</ns0:test_action_ref> |
| 31993 | ··········</ns0:actions> | 31987 | ··········</ns0:actions> |
| 31994 | ········</ns0:questionnaire> | 31988 | ········</ns0:questionnaire> |
| 31995 | ········<ns0:questionnaire·id="ocil:ssg- | 31989 | ········<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> |
| 31996 | ··········<ns0:title> | 31990 | ··········<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title> |
| 31997 | ··········<ns0:actions> | 31991 | ··········<ns0:actions> |
| 31998 | ············<ns0:test_action_ref>ocil:ssg- | 31992 | ············<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref> |
| 31999 | ··········</ns0:actions> | 31993 | ··········</ns0:actions> |
| 32000 | ········</ns0:questionnaire> | 31994 | ········</ns0:questionnaire> |
| 32001 | ········<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | 31995 | ········<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> |
| 32002 | ··········<ns0:title>Disable·xinetd·Service</ns0:title> | 31996 | ··········<ns0:title>Disable·xinetd·Service</ns0:title> |
| 32003 | ··········<ns0:actions> | 31997 | ··········<ns0:actions> |
| 32004 | ············<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref> | 31998 | ············<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref> |
| 32005 | ··········</ns0:actions> | 31999 | ··········</ns0:actions> |
| 32006 | ········</ns0:questionnaire> | 32000 | ········</ns0:questionnaire> |
| 32001 | ········<ns0:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> | ||
| 32002 | ··········<ns0:title>Install·tcp_wrappers·Package</ns0:title> | ||
| 32003 | ··········<ns0:actions> | ||
| 32004 | ············<ns0:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns0:test_action_ref> | ||
| 32005 | ··········</ns0:actions> | ||
| 32006 | ········</ns0:questionnaire> | ||
| 32007 | ········<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> | 32007 | ········<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> |
| 32008 | ··········<ns0:title>Uninstall·xinetd·Package</ns0:title> | 32008 | ··········<ns0:title>Uninstall·xinetd·Package</ns0:title> |
| 32009 | ··········<ns0:actions> | 32009 | ··········<ns0:actions> |
| 32010 | ············<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref> | 32010 | ············<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref> |
| 32011 | ··········</ns0:actions> | 32011 | ··········</ns0:actions> |
| 32012 | ········</ns0:questionnaire> | 32012 | ········</ns0:questionnaire> |
| 32013 | ········<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> | 32013 | ········<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> |
| Offset 32018, 26 lines modified | Offset 32018, 26 lines modified | ||
| 32018 | ········</ns0:questionnaire> | 32018 | ········</ns0:questionnaire> |
| 32019 | ········<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> | 32019 | ········<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> |
| 32020 | ··········<ns0:title>Uninstall·talk-server·Package</ns0:title> | 32020 | ··········<ns0:title>Uninstall·talk-server·Package</ns0:title> |
| 32021 | ··········<ns0:actions> | 32021 | ··········<ns0:actions> |
| 32022 | ············<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref> | 32022 | ············<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref> |
| 32023 | ··········</ns0:actions> | 32023 | ··········</ns0:actions> |
| 32024 | ········</ns0:questionnaire> | 32024 | ········</ns0:questionnaire> |
| Max diff block lines reached; 5429979/5440106 bytes (99.81%) of diff not shown. | |||
| Offset 15, 36 lines modified | Offset 15, 36 lines modified | ||
| 15 | ····</ns0:questionnaire> | 15 | ····</ns0:questionnaire> |
| 16 | ····<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> | 16 | ····<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> |
| 17 | ······<ns0:title>Disable·rlogin·Service</ns0:title> | 17 | ······<ns0:title>Disable·rlogin·Service</ns0:title> |
| 18 | ······<ns0:actions> | 18 | ······<ns0:actions> |
| 19 | ········<ns0:test_action_ref>ocil:ssg-service_rlogin_disabled_action:testaction:1</ns0:test_action_ref> | 19 | ········<ns0:test_action_ref>ocil:ssg-service_rlogin_disabled_action:testaction:1</ns0:test_action_ref> |
| 20 | ······</ns0:actions> | 20 | ······</ns0:actions> |
| 21 | ····</ns0:questionnaire> | 21 | ····</ns0:questionnaire> |
| 22 | ····<ns0:questionnaire·id="ocil:ssg-ser | 22 | ····<ns0:questionnaire·id="ocil:ssg-no_user_host_based_files_ocil:questionnaire:1"> |
| 23 | ······<ns0:title> | 23 | ······<ns0:title>Remove·User·Host-Based·Authentication·Files</ns0:title> |
| 24 | ······<ns0:actions> | 24 | ······<ns0:actions> |
| 25 | ········<ns0:test_action_ref>ocil:ssg-ser | 25 | ········<ns0:test_action_ref>ocil:ssg-no_user_host_based_files_action:testaction:1</ns0:test_action_ref> |
| 26 | ······</ns0:actions> | 26 | ······</ns0:actions> |
| 27 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 28 | ····<ns0:questionnaire·id="ocil:ssg-no_host_based_files_ocil:questionnaire:1"> | 28 | ····<ns0:questionnaire·id="ocil:ssg-no_host_based_files_ocil:questionnaire:1"> |
| 29 | ······<ns0:title>Remove·Host-Based·Authentication·Files</ns0:title> | 29 | ······<ns0:title>Remove·Host-Based·Authentication·Files</ns0:title> |
| 30 | ······<ns0:actions> | 30 | ······<ns0:actions> |
| 31 | ········<ns0:test_action_ref>ocil:ssg-no_host_based_files_action:testaction:1</ns0:test_action_ref> | 31 | ········<ns0:test_action_ref>ocil:ssg-no_host_based_files_action:testaction:1</ns0:test_action_ref> |
| 32 | ······</ns0:actions> | 32 | ······</ns0:actions> |
| 33 | ····</ns0:questionnaire> | 33 | ····</ns0:questionnaire> |
| 34 | ····<ns0:questionnaire·id="ocil:ssg-service_rsh_disabled_ocil:questionnaire:1"> | 34 | ····<ns0:questionnaire·id="ocil:ssg-service_rsh_disabled_ocil:questionnaire:1"> |
| 35 | ······<ns0:title>Disable·rsh·Service</ns0:title> | 35 | ······<ns0:title>Disable·rsh·Service</ns0:title> |
| 36 | ······<ns0:actions> | 36 | ······<ns0:actions> |
| 37 | ········<ns0:test_action_ref>ocil:ssg-service_rsh_disabled_action:testaction:1</ns0:test_action_ref> | 37 | ········<ns0:test_action_ref>ocil:ssg-service_rsh_disabled_action:testaction:1</ns0:test_action_ref> |
| 38 | ······</ns0:actions> | 38 | ······</ns0:actions> |
| 39 | ····</ns0:questionnaire> | 39 | ····</ns0:questionnaire> |
| 40 | ····<ns0:questionnaire·id="ocil:ssg- | 40 | ····<ns0:questionnaire·id="ocil:ssg-service_rexec_disabled_ocil:questionnaire:1"> |
| 41 | ······<ns0:title> | 41 | ······<ns0:title>Disable·rexec·Service</ns0:title> |
| 42 | ······<ns0:actions> | 42 | ······<ns0:actions> |
| 43 | ········<ns0:test_action_ref>ocil:ssg- | 43 | ········<ns0:test_action_ref>ocil:ssg-service_rexec_disabled_action:testaction:1</ns0:test_action_ref> |
| 44 | ······</ns0:actions> | 44 | ······</ns0:actions> |
| 45 | ····</ns0:questionnaire> | 45 | ····</ns0:questionnaire> |
| 46 | ····<ns0:questionnaire·id="ocil:ssg-package_rsh-server_removed_ocil:questionnaire:1"> | 46 | ····<ns0:questionnaire·id="ocil:ssg-package_rsh-server_removed_ocil:questionnaire:1"> |
| 47 | ······<ns0:title>Uninstall·rsh-server·Package</ns0:title> | 47 | ······<ns0:title>Uninstall·rsh-server·Package</ns0:title> |
| 48 | ······<ns0:actions> | 48 | ······<ns0:actions> |
| 49 | ········<ns0:test_action_ref>ocil:ssg-package_rsh-server_removed_action:testaction:1</ns0:test_action_ref> | 49 | ········<ns0:test_action_ref>ocil:ssg-package_rsh-server_removed_action:testaction:1</ns0:test_action_ref> |
| 50 | ······</ns0:actions> | 50 | ······</ns0:actions> |
| Offset 99, 38 lines modified | Offset 99, 38 lines modified | ||
| 99 | ····</ns0:questionnaire> | 99 | ····</ns0:questionnaire> |
| 100 | ····<ns0:questionnaire·id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1"> | 100 | ····<ns0:questionnaire·id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1"> |
| 101 | ······<ns0:title>Disable·tftp·Service</ns0:title> | 101 | ······<ns0:title>Disable·tftp·Service</ns0:title> |
| 102 | ······<ns0:actions> | 102 | ······<ns0:actions> |
| 103 | ········<ns0:test_action_ref>ocil:ssg-service_tftp_disabled_action:testaction:1</ns0:test_action_ref> | 103 | ········<ns0:test_action_ref>ocil:ssg-service_tftp_disabled_action:testaction:1</ns0:test_action_ref> |
| 104 | ······</ns0:actions> | 104 | ······</ns0:actions> |
| 105 | ····</ns0:questionnaire> | 105 | ····</ns0:questionnaire> |
| 106 | ····<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> | ||
| 107 | ······<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title> | ||
| 108 | ······<ns0:actions> | ||
| 109 | ········<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref> | ||
| 110 | ······</ns0:actions> | ||
| 111 | ····</ns0:questionnaire> | ||
| 112 | ····<ns0:questionnaire·id="ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1"> | 106 | ····<ns0:questionnaire·id="ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1"> |
| 113 | ······<ns0:title>Uninstall·tftp-server·Package</ns0:title> | 107 | ······<ns0:title>Uninstall·tftp-server·Package</ns0:title> |
| 114 | ······<ns0:actions> | 108 | ······<ns0:actions> |
| 115 | ········<ns0:test_action_ref>ocil:ssg-package_tftp-server_removed_action:testaction:1</ns0:test_action_ref> | 109 | ········<ns0:test_action_ref>ocil:ssg-package_tftp-server_removed_action:testaction:1</ns0:test_action_ref> |
| 116 | ······</ns0:actions> | 110 | ······</ns0:actions> |
| 117 | ····</ns0:questionnaire> | 111 | ····</ns0:questionnaire> |
| 118 | ····<ns0:questionnaire·id="ocil:ssg- | 112 | ····<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> |
| 119 | ······<ns0:title> | 113 | ······<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title> |
| 120 | ······<ns0:actions> | 114 | ······<ns0:actions> |
| 121 | ········<ns0:test_action_ref>ocil:ssg- | 115 | ········<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref> |
| 122 | ······</ns0:actions> | 116 | ······</ns0:actions> |
| 123 | ····</ns0:questionnaire> | 117 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | 118 | ····<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> |
| 125 | ······<ns0:title>Disable·xinetd·Service</ns0:title> | 119 | ······<ns0:title>Disable·xinetd·Service</ns0:title> |
| 126 | ······<ns0:actions> | 120 | ······<ns0:actions> |
| 127 | ········<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref> | 121 | ········<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref> |
| 128 | ······</ns0:actions> | 122 | ······</ns0:actions> |
| 129 | ····</ns0:questionnaire> | 123 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> | ||
| 125 | ······<ns0:title>Install·tcp_wrappers·Package</ns0:title> | ||
| 126 | ······<ns0:actions> | ||
| 127 | ········<ns0:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns0:test_action_ref> | ||
| 128 | ······</ns0:actions> | ||
| 129 | ····</ns0:questionnaire> | ||
| 130 | ····<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> | 130 | ····<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> |
| 131 | ······<ns0:title>Uninstall·xinetd·Package</ns0:title> | 131 | ······<ns0:title>Uninstall·xinetd·Package</ns0:title> |
| 132 | ······<ns0:actions> | 132 | ······<ns0:actions> |
| 133 | ········<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref> | 133 | ········<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref> |
| 134 | ······</ns0:actions> | 134 | ······</ns0:actions> |
| 135 | ····</ns0:questionnaire> | 135 | ····</ns0:questionnaire> |
| 136 | ····<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> | 136 | ····<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> |
| Offset 141, 26 lines modified | Offset 141, 26 lines modified | ||
| 141 | ····</ns0:questionnaire> | 141 | ····</ns0:questionnaire> |
| 142 | ····<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> | 142 | ····<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> |
| 143 | ······<ns0:title>Uninstall·talk-server·Package</ns0:title> | 143 | ······<ns0:title>Uninstall·talk-server·Package</ns0:title> |
| 144 | ······<ns0:actions> | 144 | ······<ns0:actions> |
| 145 | ········<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref> | 145 | ········<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref> |
| 146 | ······</ns0:actions> | 146 | ······</ns0:actions> |
| 147 | ····</ns0:questionnaire> | 147 | ····</ns0:questionnaire> |
| 148 | ····<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> | ||
| 149 | ······<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title> | ||
| 150 | ······<ns0:actions> | ||
| 151 | ········<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref> | ||
| 152 | ······</ns0:actions> | ||
| 153 | ····</ns0:questionnaire> | ||
| 154 | ····<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> | 148 | ····<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> |
| 155 | ······<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title> | 149 | ······<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title> |
| 156 | ······<ns0:actions> | 150 | ······<ns0:actions> |
| 157 | ········<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref> | 151 | ········<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref> |
| 158 | ······</ns0:actions> | 152 | ······</ns0:actions> |
| 159 | ····</ns0:questionnaire> | 153 | ····</ns0:questionnaire> |
| 154 | ····<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> | ||
| 155 | ······<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title> | ||
| 156 | ······<ns0:actions> | ||
| 157 | ········<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref> | ||
| 158 | ······</ns0:actions> | ||
| 159 | ····</ns0:questionnaire> | ||
| 160 | ····<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> | 160 | ····<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> |
| 161 | ······<ns0:title>Disable·vsftpd·Service</ns0:title> | 161 | ······<ns0:title>Disable·vsftpd·Service</ns0:title> |
| 162 | ······<ns0:actions> | 162 | ······<ns0:actions> |
| 163 | ········<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref> | 163 | ········<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref> |
| 164 | ······</ns0:actions> | 164 | ······</ns0:actions> |
| 165 | ····</ns0:questionnaire> | 165 | ····</ns0:questionnaire> |
| 166 | ····<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> | 166 | ····<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> |
| Offset 315, 26 lines modified | Offset 315, 26 lines modified | ||
| 315 | ····</ns0:questionnaire> | 315 | ····</ns0:questionnaire> |
| 316 | ····<ns0:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1"> | 316 | ····<ns0:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1"> |
| 317 | ······<ns0:title>Install·the·Samba·Common·Package</ns0:title> | 317 | ······<ns0:title>Install·the·Samba·Common·Package</ns0:title> |
| 318 | ······<ns0:actions> | 318 | ······<ns0:actions> |
| 319 | ········<ns0:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns0:test_action_ref> | 319 | ········<ns0:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns0:test_action_ref> |
| 320 | ······</ns0:actions> | 320 | ······</ns0:actions> |
| 321 | ····</ns0:questionnaire> | 321 | ····</ns0:questionnaire> |
| 322 | ····<ns0:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1"> | ||
| 323 | ······<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns0:title> | ||
| 324 | ······<ns0:actions> | ||
| 325 | ········<ns0:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns0:test_action_ref> | ||
| 326 | ······</ns0:actions> | ||
| Max diff block lines reached; 685011/692607 bytes (98.90%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>202 | 7 | ····<ns2:timestamp>2020-04-27T21:35:18</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title> | 12 | ········<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform> | 14 | ··········<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform> |
| Offset 162, 14 lines modified | Offset 162, 266 lines modified | ||
| 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 164 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> | 164 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 165 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 165 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 166 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 166 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 167 | ··</metadata> | 167 | ··</metadata> |
| 168 | ··<model·system="urn:xccdf:scoring:default"/> | 168 | ··<model·system="urn:xccdf:scoring:default"/> |
| 169 | ··<Profile·id="standard"> | ||
| 170 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·7</title> | ||
| 171 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·rules·to·ensure·standard·security·baseline | ||
| 172 | of·a·Red·Hat·Enterprise·Linux·7·system.·Regardless·of·your·system's·workload | ||
| 173 | all·of·these·checks·should·pass.</description> | ||
| 174 | ····<select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> | ||
| 175 | ····<select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> | ||
| 176 | ····<select·idref="rpm_verify_permissions"·selected="true"/> | ||
| 177 | ····<select·idref="rpm_verify_hashes"·selected="true"/> | ||
| 178 | ····<select·idref="security_patches_up_to_date"·selected="true"/> | ||
| 179 | ····<select·idref="no_empty_passwords"·selected="true"/> | ||
| 180 | ····<select·idref="file_permissions_unauthorized_sgid"·selected="true"/> | ||
| 181 | ····<select·idref="file_permissions_unauthorized_suid"·selected="true"/> | ||
| 182 | ····<select·idref="file_permissions_unauthorized_world_writable"·selected="true"/> | ||
| 183 | ····<select·idref="accounts_root_path_dirs_no_write"·selected="true"/> | ||
| 184 | ····<select·idref="dir_perms_world_writable_sticky_bits"·selected="true"/> | ||
| 185 | ····<select·idref="mount_option_dev_shm_nodev"·selected="true"/> | ||
| 186 | ····<select·idref="mount_option_dev_shm_nosuid"·selected="true"/> | ||
| 187 | ····<select·idref="partition_for_var_log"·selected="true"/> | ||
| 188 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 189 | ····<select·idref="package_rsyslog_installed"·selected="true"/> | ||
| 190 | ····<select·idref="service_rsyslog_enabled"·selected="true"/> | ||
| 191 | ····<select·idref="audit_rules_time_adjtimex"·selected="true"/> | ||
| 192 | ····<select·idref="audit_rules_time_settimeofday"·selected="true"/> | ||
| 193 | ····<select·idref="audit_rules_time_stime"·selected="true"/> | ||
| 194 | ····<select·idref="audit_rules_time_clock_settime"·selected="true"/> | ||
| 195 | ····<select·idref="audit_rules_time_watch_localtime"·selected="true"/> | ||
| 196 | ····<select·idref="audit_rules_usergroup_modification"·selected="true"/> | ||
| 197 | ····<select·idref="audit_rules_networkconfig_modification"·selected="true"/> | ||
| 198 | ····<select·idref="audit_rules_mac_modification"·selected="true"/> | ||
| 199 | ····<select·idref="audit_rules_dac_modification_chmod"·selected="true"/> | ||
| 200 | ····<select·idref="audit_rules_dac_modification_chown"·selected="true"/> | ||
| 201 | ····<select·idref="audit_rules_dac_modification_fchmod"·selected="true"/> | ||
| 202 | ····<select·idref="audit_rules_dac_modification_fchmodat"·selected="true"/> | ||
| 203 | ····<select·idref="audit_rules_dac_modification_fchown"·selected="true"/> | ||
| 204 | ····<select·idref="audit_rules_dac_modification_fchownat"·selected="true"/> | ||
| 205 | ····<select·idref="audit_rules_dac_modification_fremovexattr"·selected="true"/> | ||
| 206 | ····<select·idref="audit_rules_dac_modification_fsetxattr"·selected="true"/> | ||
| 207 | ····<select·idref="audit_rules_dac_modification_lchown"·selected="true"/> | ||
| 208 | ····<select·idref="audit_rules_dac_modification_lremovexattr"·selected="true"/> | ||
| 209 | ····<select·idref="audit_rules_dac_modification_lsetxattr"·selected="true"/> | ||
| 210 | ····<select·idref="audit_rules_dac_modification_removexattr"·selected="true"/> | ||
| 211 | ····<select·idref="audit_rules_dac_modification_setxattr"·selected="true"/> | ||
| 212 | ····<select·idref="audit_rules_unsuccessful_file_modification"·selected="true"/> | ||
| 213 | ····<select·idref="audit_rules_privileged_commands"·selected="true"/> | ||
| 214 | ····<select·idref="audit_rules_media_export"·selected="true"/> | ||
| 215 | ····<select·idref="audit_rules_file_deletion_events"·selected="true"/> | ||
| 216 | ····<select·idref="audit_rules_sysadmin_actions"·selected="true"/> | ||
| 217 | ····<select·idref="audit_rules_kernel_module_loading"·selected="true"/> | ||
| 218 | ····<select·idref="service_abrtd_disabled"·selected="true"/> | ||
| 219 | ····<select·idref="service_atd_disabled"·selected="true"/> | ||
| 220 | ····<select·idref="service_autofs_disabled"·selected="true"/> | ||
| 221 | ····<select·idref="service_ntpdate_disabled"·selected="true"/> | ||
| 222 | ····<select·idref="service_oddjobd_disabled"·selected="true"/> | ||
| 223 | ····<select·idref="service_qpidd_disabled"·selected="true"/> | ||
| 224 | ····<select·idref="service_rdisc_disabled"·selected="true"/> | ||
| 225 | ····<select·idref="remediation_functions"·selected="false"/> | ||
| 226 | ····<select·idref="obsolete"·selected="false"/> | ||
| 227 | ····<select·idref="r_services"·selected="false"/> | ||
| 228 | ····<select·idref="telnet"·selected="false"/> | ||
| 229 | ····<select·idref="nis"·selected="false"/> | ||
| 230 | ····<select·idref="tftp"·selected="false"/> | ||
| 231 | ····<select·idref="inetd_and_xinetd"·selected="false"/> | ||
| 232 | ····<select·idref="talk"·selected="false"/> | ||
| 233 | ····<select·idref="openstack"·selected="false"/> | ||
| 234 | ····<select·idref="ftp"·selected="false"/> | ||
| 235 | ····<select·idref="ftp_configure_vsftpd"·selected="false"/> | ||
| 236 | ····<select·idref="ftp_configure_firewall"·selected="false"/> | ||
| 237 | ····<select·idref="ftp_restrict_users"·selected="false"/> | ||
| 238 | ····<select·idref="ftp_limit_users"·selected="false"/> | ||
| 239 | ····<select·idref="ftp_use_vsftpd"·selected="false"/> | ||
| 240 | ····<select·idref="disabling_vsftpd"·selected="false"/> | ||
| 241 | ····<select·idref="snmp"·selected="false"/> | ||
| 242 | ····<select·idref="snmp_configure_server"·selected="false"/> | ||
| 243 | ····<select·idref="disabling_snmp_service"·selected="false"/> | ||
| 244 | ····<select·idref="restrict_at_cron_users"·selected="false"/> | ||
| 245 | ····<select·idref="xwindows"·selected="false"/> | ||
| 246 | ····<select·idref="disabling_xwindows"·selected="false"/> | ||
| 247 | ····<select·idref="routing"·selected="false"/> | ||
| 248 | ····<select·idref="disabling_quagga"·selected="false"/> | ||
| 249 | ····<select·idref="dns"·selected="false"/> | ||
| 250 | ····<select·idref="dns_server_isolation"·selected="false"/> | ||
| 251 | ····<select·idref="dns_server_chroot"·selected="false"/> | ||
| 252 | ····<select·idref="dns_server_dedicated"·selected="false"/> | ||
| 253 | ····<select·idref="dns_server_protection"·selected="false"/> | ||
| 254 | ····<select·idref="dns_server_separate_internal_external"·selected="false"/> | ||
| 255 | ····<select·idref="dns_server_partition_with_views"·selected="false"/> | ||
| 256 | ····<select·idref="disabling_dns_server"·selected="false"/> | ||
| 257 | ····<select·idref="ldap"·selected="false"/> | ||
| 258 | ····<select·idref="openldap_server"·selected="false"/> | ||
| 259 | ····<select·idref="ldap_server_config_certificate_files"·selected="false"/> | ||
| 260 | ····<select·idref="openldap_client"·selected="false"/> | ||
| 261 | ····<select·idref="dhcp"·selected="false"/> | ||
| 262 | ····<select·idref="disabling_dhcp_client"·selected="false"/> | ||
| 263 | ····<select·idref="dhcp_server_configuration"·selected="false"/> | ||
| 264 | ····<select·idref="dhcp_server_minimize_served_info"·selected="false"/> | ||
| 265 | ····<select·idref="disabling_dhcp_server"·selected="false"/> | ||
| 266 | ····<select·idref="dhcp_client_configuration"·selected="false"/> | ||
| 267 | ····<select·idref="dhcp_client_restrict_options"·selected="false"/> | ||
| 268 | ····<select·idref="smb"·selected="false"/> | ||
| 269 | ····<select·idref="disabling_samba"·selected="false"/> | ||
| 270 | ····<select·idref="configuring_samba"·selected="false"/> | ||
| 271 | ····<select·idref="smb_disable_printing"·selected="false"/> | ||
| 272 | ····<select·idref="smb_restrict_file_sharing"·selected="false"/> | ||
| 273 | ····<select·idref="http"·selected="false"/> | ||
| 274 | ····<select·idref="installing_httpd"·selected="false"/> | ||
| 275 | ····<select·idref="httpd_minimal_modules_installed"·selected="false"/> | ||
| 276 | ····<select·idref="disabling_httpd"·selected="false"/> | ||
| 277 | ····<select·idref="securing_httpd"·selected="false"/> | ||
| 278 | ····<select·idref="httpd_restrict_info_leakage"·selected="false"/> | ||
| 279 | ····<select·idref="httpd_configure_os_protect_web_server"·selected="false"/> | ||
| 280 | ····<select·idref="httpd_chroot"·selected="false"/> | ||
| 281 | ····<select·idref="httpd_restrict_file_dir_access"·selected="false"/> | ||
| 282 | ····<select·idref="httpd_use_dos_protection_modules"·selected="false"/> | ||
| 283 | ····<select·idref="httpd_modules_improve_security"·selected="false"/> | ||
| 284 | ····<select·idref="httpd_deploy_mod_security"·selected="false"/> | ||
| 285 | ····<select·idref="httpd_deploy_mod_ssl"·selected="false"/> | ||
| 286 | ····<select·idref="httpd_directory_restrictions"·selected="false"/> | ||
| 287 | ····<select·idref="httpd_configure_php_securely"·selected="false"/> | ||
| 288 | ····<select·idref="httpd_minimize_loadable_modules"·selected="false"/> | ||
| Max diff block lines reached; 2141766/2158411 bytes (99.23%) of diff not shown. | |||
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> | 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> |
| 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> | 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> |
| 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> | 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> |
| 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> | 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> |
| 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> | 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> |
| 31 | ····</ns0:checks> | 31 | ····</ns0:checks> |
| 32 | ··</ns0:data-stream> | 32 | ··</ns0:data-stream> |
| 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="202 | 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-04-28T11:48:20"> |
| 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns3:generator> | 35 | ······<ns3:generator> |
| 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> | 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> |
| 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> | 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> |
| 38 | ········<ns5:schema_version>5.11</ns5:schema_version> | 38 | ········<ns5:schema_version>5.11</ns5:schema_version> |
| 39 | ········<ns5:timestamp>202 | 39 | ········<ns5:timestamp>2020-04-27T21:33:55</ns5:timestamp> |
| 40 | ······</ns3:generator> | 40 | ······</ns3:generator> |
| 41 | ······<ns3:definitions> | 41 | ······<ns3:definitions> |
| 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> | 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> |
| 43 | ··········<ns3:metadata> | 43 | ··········<ns3:metadata> |
| 44 | ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title> | 44 | ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title> |
| 45 | ············<ns3:affected·family="unix"> | 45 | ············<ns3:affected·family="unix"> |
| 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform> | 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform> |
| Offset 27893, 35 lines modified | Offset 27893, 35 lines modified | ||
| 27893 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 27893 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 27894 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 27894 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 27895 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 27895 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 27896 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 27896 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 27897 | ······</ns3:variables> | 27897 | ······</ns3:variables> |
| 27898 | ····</ns3:oval_definitions> | 27898 | ····</ns3:oval_definitions> |
| 27899 | ··</ns0:component> | 27899 | ··</ns0:component> |
| 27900 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="202 | 27900 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-04-28T11:48:20"> |
| 27901 | ····<ns9:ocil> | 27901 | ····<ns9:ocil> |
| 27902 | ······<ns9:generator> | 27902 | ······<ns9:generator> |
| 27903 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> | 27903 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> |
| 27904 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> | 27904 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> |
| 27905 | ········<ns9:schema_version>2.0</ns9:schema_version> | 27905 | ········<ns9:schema_version>2.0</ns9:schema_version> |
| 27906 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> | 27906 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> |
| 27907 | ······</ns9:generator> | 27907 | ······</ns9:generator> |
| 27908 | ······<ns9:questionnaires> | 27908 | ······<ns9:questionnaires> |
| 27909 | ········<ns9:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> | ||
| 27910 | ··········<ns9:title>Enable·Logging·of·All·FTP·Transactions</ns9:title> | ||
| 27911 | ··········<ns9:actions> | ||
| 27912 | ············<ns9:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns9:test_action_ref> | ||
| 27913 | ··········</ns9:actions> | ||
| 27914 | ········</ns9:questionnaire> | ||
| 27915 | ········<ns9:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> | 27909 | ········<ns9:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> |
| 27916 | ··········<ns9:title>Create·Warning·Banners·for·All·FTP·Users</ns9:title> | 27910 | ··········<ns9:title>Create·Warning·Banners·for·All·FTP·Users</ns9:title> |
| 27917 | ··········<ns9:actions> | 27911 | ··········<ns9:actions> |
| 27918 | ············<ns9:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns9:test_action_ref> | 27912 | ············<ns9:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns9:test_action_ref> |
| 27919 | ··········</ns9:actions> | 27913 | ··········</ns9:actions> |
| 27920 | ········</ns9:questionnaire> | 27914 | ········</ns9:questionnaire> |
| 27915 | ········<ns9:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> | ||
| 27916 | ··········<ns9:title>Enable·Logging·of·All·FTP·Transactions</ns9:title> | ||
| 27917 | ··········<ns9:actions> | ||
| 27918 | ············<ns9:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns9:test_action_ref> | ||
| 27919 | ··········</ns9:actions> | ||
| 27920 | ········</ns9:questionnaire> | ||
| 27921 | ········<ns9:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> | 27921 | ········<ns9:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> |
| 27922 | ··········<ns9:title>Disable·vsftpd·Service</ns9:title> | 27922 | ··········<ns9:title>Disable·vsftpd·Service</ns9:title> |
| 27923 | ··········<ns9:actions> | 27923 | ··········<ns9:actions> |
| 27924 | ············<ns9:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns9:test_action_ref> | 27924 | ············<ns9:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns9:test_action_ref> |
| 27925 | ··········</ns9:actions> | 27925 | ··········</ns9:actions> |
| 27926 | ········</ns9:questionnaire> | 27926 | ········</ns9:questionnaire> |
| 27927 | ········<ns9:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> | 27927 | ········<ns9:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> |
| Offset 27968, 32 lines modified | Offset 27968, 14 lines modified | ||
| 27968 | ········</ns9:questionnaire> | 27968 | ········</ns9:questionnaire> |
| 27969 | ········<ns9:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1"> | 27969 | ········<ns9:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1"> |
| 27970 | ··········<ns9:title>Enable·the·SSSD·Service</ns9:title> | 27970 | ··········<ns9:title>Enable·the·SSSD·Service</ns9:title> |
| 27971 | ··········<ns9:actions> | 27971 | ··········<ns9:actions> |
| 27972 | ············<ns9:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns9:test_action_ref> | 27972 | ············<ns9:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns9:test_action_ref> |
| 27973 | ··········</ns9:actions> | 27973 | ··········</ns9:actions> |
| 27974 | ········</ns9:questionnaire> | 27974 | ········</ns9:questionnaire> |
| 27975 | ········<ns9:questionnaire·id="ocil:ssg-sysconfig_networking_bootproto_ifcfg_ocil:questionnaire:1"> | ||
| 27976 | ··········<ns9:title>Disable·DHCP·Client</ns9:title> | ||
| 27977 | ··········<ns9:actions> | ||
| 27978 | ············<ns9:test_action_ref>ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1</ns9:test_action_ref> | ||
| 27979 | ··········</ns9:actions> | ||
| 27980 | ········</ns9:questionnaire> | ||
| 27981 | ········<ns9:questionnaire·id="ocil:ssg-package_dhcp_removed_ocil:questionnaire:1"> | ||
| 27982 | ··········<ns9:title>Uninstall·DHCP·Server·Package</ns9:title> | ||
| 27983 | ··········<ns9:actions> | ||
| 27984 | ············<ns9:test_action_ref>ocil:ssg-package_dhcp_removed_action:testaction:1</ns9:test_action_ref> | ||
| 27985 | ··········</ns9:actions> | ||
| 27986 | ········</ns9:questionnaire> | ||
| 27987 | ········<ns9:questionnaire·id="ocil:ssg-service_dhcpd_disabled_ocil:questionnaire:1"> | ||
| 27988 | ··········<ns9:title>Disable·DHCP·Service</ns9:title> | ||
| 27989 | ··········<ns9:actions> | ||
| 27990 | ············<ns9:test_action_ref>ocil:ssg-service_dhcpd_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 27991 | ··········</ns9:actions> | ||
| 27992 | ········</ns9:questionnaire> | ||
| 27993 | ········<ns9:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"> | 27975 | ········<ns9:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"> |
| 27994 | ··········<ns9:title>Enable·the·NTP·Daemon</ns9:title> | 27976 | ··········<ns9:title>Enable·the·NTP·Daemon</ns9:title> |
| 27995 | ··········<ns9:actions> | 27977 | ··········<ns9:actions> |
| 27996 | ············<ns9:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns9:test_action_ref> | 27978 | ············<ns9:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns9:test_action_ref> |
| 27997 | ··········</ns9:actions> | 27979 | ··········</ns9:actions> |
| 27998 | ········</ns9:questionnaire> | 27980 | ········</ns9:questionnaire> |
| 27999 | ········<ns9:questionnaire·id="ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1"> | 27981 | ········<ns9:questionnaire·id="ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1"> |
| Offset 28028, 44 lines modified | Offset 28010, 14 lines modified | ||
| 28028 | ········</ns9:questionnaire> | 28010 | ········</ns9:questionnaire> |
| 28029 | ········<ns9:questionnaire·id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1"> | 28011 | ········<ns9:questionnaire·id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1"> |
| 28030 | ··········<ns9:title>Disable·snmpd·Service</ns9:title> | 28012 | ··········<ns9:title>Disable·snmpd·Service</ns9:title> |
| 28031 | ··········<ns9:actions> | 28013 | ··········<ns9:actions> |
| 28032 | ············<ns9:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ns9:test_action_ref> | 28014 | ············<ns9:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ns9:test_action_ref> |
| 28033 | ··········</ns9:actions> | 28015 | ··········</ns9:actions> |
| 28034 | ········</ns9:questionnaire> | 28016 | ········</ns9:questionnaire> |
| 28035 | ········<ns9:questionnaire·id="ocil:ssg-disable_anacron_ocil:questionnaire:1"> | ||
| 28036 | ··········<ns9:title>Disable·anacron·Service</ns9:title> | ||
| 28037 | ··········<ns9:actions> | ||
| 28038 | ············<ns9:test_action_ref>ocil:ssg-disable_anacron_action:testaction:1</ns9:test_action_ref> | ||
| 28039 | ··········</ns9:actions> | ||
| 28040 | ········</ns9:questionnaire> | ||
| 28041 | ········<ns9:questionnaire·id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1"> | ||
| 28042 | ··········<ns9:title>Enable·cron·Service</ns9:title> | ||
| 28043 | ··········<ns9:actions> | ||
| 28044 | ············<ns9:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ns9:test_action_ref> | ||
| 28045 | ··········</ns9:actions> | ||
| 28046 | ········</ns9:questionnaire> | ||
| 28047 | ········<ns9:questionnaire·id="ocil:ssg-service_atd_disabled_ocil:questionnaire:1"> | ||
| 28048 | ··········<ns9:title>Disable·At·Service·(atd)</ns9:title> | ||
| 28049 | ··········<ns9:actions> | ||
| 28050 | ············<ns9:test_action_ref>ocil:ssg-service_atd_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 28051 | ··········</ns9:actions> | ||
| 28052 | ········</ns9:questionnaire> | ||
| 28053 | ········<ns9:questionnaire·id="ocil:ssg-xwindows_runlevel_setting_ocil:questionnaire:1"> | ||
| 28054 | ··········<ns9:title>Disable·X·Windows·Startup·By·Setting·Runlevel</ns9:title> | ||
| 28055 | ··········<ns9:actions> | ||
| 28056 | ············<ns9:test_action_ref>ocil:ssg-xwindows_runlevel_setting_action:testaction:1</ns9:test_action_ref> | ||
| 28057 | ··········</ns9:actions> | ||
| Max diff block lines reached; 4629034/4637972 bytes (99.81%) of diff not shown. | |||
| Offset 439, 45 lines modified | Offset 439, 35 lines modified | ||
| 439 | ····<ns0:select·idref="httpd_configure_php_securely"·selected="false"/> | 439 | ····<ns0:select·idref="httpd_configure_php_securely"·selected="false"/> |
| 440 | ····<ns0:select·idref="httpd_minimize_loadable_modules"·selected="false"/> | 440 | ····<ns0:select·idref="httpd_minimize_loadable_modules"·selected="false"/> |
| 441 | ····<ns0:select·idref="httpd_core_modules"·selected="false"/> | 441 | ····<ns0:select·idref="httpd_core_modules"·selected="false"/> |
| 442 | ····<ns0:select·idref="httpd_basic_authentication"·selected="false"/> | 442 | ····<ns0:select·idref="httpd_basic_authentication"·selected="false"/> |
| 443 | ····<ns0:select·idref="httpd_minimize_config_files_included"·selected="false"/> | 443 | ····<ns0:select·idref="httpd_minimize_config_files_included"·selected="false"/> |
| 444 | ····<ns0:select·idref="httpd_optional_components"·selected="false"/> | 444 | ····<ns0:select·idref="httpd_optional_components"·selected="false"/> |
| 445 | ····<ns0:select·idref="sssd"·selected="false"/> | 445 | ····<ns0:select·idref="sssd"·selected="false"/> |
| 446 | ····<ns0:select·idref="dhcp_server_configuration"·selected="false"/> | ||
| 447 | ····<ns0:select·idref="disabling_dhcp_server"·selected="false"/> | ||
| 448 | ····<ns0:select·idref="dhcp_client_configuration"·selected="false"/> | ||
| 449 | ····<ns0:select·idref="printing"·selected="false"/> | 446 | ····<ns0:select·idref="printing"·selected="false"/> |
| 450 | ····<ns0:select·idref="configure_printing"·selected="false"/> | 447 | ····<ns0:select·idref="configure_printing"·selected="false"/> |
| 451 | ····<ns0:select·idref="snmp"·selected="false"/> | 448 | ····<ns0:select·idref="snmp"·selected="false"/> |
| 452 | ····<ns0:select·idref="snmp_configure_server"·selected="false"/> | 449 | ····<ns0:select·idref="snmp_configure_server"·selected="false"/> |
| 453 | ····<ns0:select·idref="disabling_snmp_service"·selected="false"/> | 450 | ····<ns0:select·idref="disabling_snmp_service"·selected="false"/> |
| 454 | ····<ns0:select·idref="restrict_at_cron_users"·selected="false"/> | ||
| 455 | ····<ns0:select·idref="talk"·selected="false"/> | 451 | ····<ns0:select·idref="talk"·selected="false"/> |
| 456 | ····<ns0:select·idref=" | 452 | ····<ns0:select·idref="ldap_server_config_certificate_files"·selected="false"/> |
| 457 | ····<ns0:select·idref=" | 453 | ····<ns0:select·idref="restrict_at_cron_users"·selected="false"/> |
| 458 | ····<ns0:select·idref=" | 454 | ····<ns0:select·idref="proxy"·selected="false"/> |
| 459 | ····<ns0:select·idref=" | 455 | ····<ns0:select·idref="disabling_squid"·selected="false"/> |
| 460 | ····<ns0:select·idref="disabling_nfs"·selected="false"/> | ||
| 461 | ····<ns0:select·idref="disabling_nfs_services"·selected="false"/> | ||
| 462 | ····<ns0:select·idref="disabling_netfs"·selected="false"/> | ||
| 463 | ····<ns0:select·idref="nfs_configuring_all_machines"·selected="false"/> | ||
| 464 | ····<ns0:select·idref="nfs_configure_fixed_ports"·selected="false"/> | ||
| 465 | ····<ns0:select·idref="nfs_client_or_server_not_both"·selected="false"/> | ||
| 466 | ····<ns0:select·idref="disabling_nfsd"·selected="false"/> | ||
| 467 | ····<ns0:select·idref="sshd_strengthen_firewall"·selected="false"/> | ||
| 468 | ····<ns0:select·idref="dns"·selected="false"/> | 456 | ····<ns0:select·idref="dns"·selected="false"/> |
| 469 | ····<ns0:select·idref="dns_server_protection"·selected="false"/> | ||
| 470 | ····<ns0:select·idref="dns_server_separate_internal_external"·selected="false"/> | ||
| 471 | ····<ns0:select·idref="dns_server_partition_with_views"·selected="false"/> | ||
| 472 | ····<ns0:select·idref="dns_server_isolation"·selected="false"/> | 457 | ····<ns0:select·idref="dns_server_isolation"·selected="false"/> |
| 473 | ····<ns0:select·idref="dns_server_chroot"·selected="false"/> | 458 | ····<ns0:select·idref="dns_server_chroot"·selected="false"/> |
| 474 | ····<ns0:select·idref="dns_server_dedicated"·selected="false"/> | 459 | ····<ns0:select·idref="dns_server_dedicated"·selected="false"/> |
| 460 | ····<ns0:select·idref="dns_server_protection"·selected="false"/> | ||
| 461 | ····<ns0:select·idref="dns_server_separate_internal_external"·selected="false"/> | ||
| 462 | ····<ns0:select·idref="dns_server_partition_with_views"·selected="false"/> | ||
| 475 | ····<ns0:select·idref="disabling_dns_server"·selected="false"/> | 463 | ····<ns0:select·idref="disabling_dns_server"·selected="false"/> |
| 476 | ····<ns0:select·idref=" | 464 | ····<ns0:select·idref="dhcp_server_configuration"·selected="false"/> |
| 465 | ····<ns0:select·idref="disabling_dhcp_server"·selected="false"/> | ||
| 466 | ····<ns0:select·idref="dhcp_client_configuration"·selected="false"/> | ||
| 477 | ····<ns0:select·idref="postfix_harden_os"·selected="false"/> | 467 | ····<ns0:select·idref="postfix_harden_os"·selected="false"/> |
| 478 | ····<ns0:select·idref="postfix_configure_ssl_certs"·selected="false"/> | 468 | ····<ns0:select·idref="postfix_configure_ssl_certs"·selected="false"/> |
| 479 | ····<ns0:select·idref="postfix_install_ssl_cert"·selected="false"/> | 469 | ····<ns0:select·idref="postfix_install_ssl_cert"·selected="false"/> |
| 480 | ····<ns0:select·idref="postfix_server_configuration"·selected="false"/> | 470 | ····<ns0:select·idref="postfix_server_configuration"·selected="false"/> |
| 481 | ····<ns0:select·idref="postfix_server_mail_relay"·selected="false"/> | 471 | ····<ns0:select·idref="postfix_server_mail_relay"·selected="false"/> |
| 482 | ····<ns0:select·idref="postfix_server_mail_relay_require_tls_for_smtp_auth"·selected="false"/> | 472 | ····<ns0:select·idref="postfix_server_mail_relay_require_tls_for_smtp_auth"·selected="false"/> |
| 483 | ····<ns0:select·idref="postfix_server_mail_relay_set_trusted_networks"·selected="false"/> | 473 | ····<ns0:select·idref="postfix_server_mail_relay_set_trusted_networks"·selected="false"/> |
| Offset 491, 25 lines modified | Offset 481, 26 lines modified | ||
| 491 | ····<ns0:select·idref="dovecot_enabling_ssl"·selected="false"/> | 481 | ····<ns0:select·idref="dovecot_enabling_ssl"·selected="false"/> |
| 492 | ····<ns0:select·idref="dovecot_allow_imap_access"·selected="false"/> | 482 | ····<ns0:select·idref="dovecot_allow_imap_access"·selected="false"/> |
| 493 | ····<ns0:select·idref="dovecot_support_necessary_protocols"·selected="false"/> | 483 | ····<ns0:select·idref="dovecot_support_necessary_protocols"·selected="false"/> |
| 494 | ····<ns0:select·idref="disabling_dovecot"·selected="false"/> | 484 | ····<ns0:select·idref="disabling_dovecot"·selected="false"/> |
| 495 | ····<ns0:select·idref="disabling_samba"·selected="false"/> | 485 | ····<ns0:select·idref="disabling_samba"·selected="false"/> |
| 496 | ····<ns0:select·idref="smb_disable_printing"·selected="false"/> | 486 | ····<ns0:select·idref="smb_disable_printing"·selected="false"/> |
| 497 | ····<ns0:select·idref="smb_restrict_file_sharing"·selected="false"/> | 487 | ····<ns0:select·idref="smb_restrict_file_sharing"·selected="false"/> |
| 498 | ····<ns0:select·idref=" | 488 | ····<ns0:select·idref="nfs_configuring_servers"·selected="false"/> |
| 499 | ····<ns0:select·idref=" | 489 | ····<ns0:select·idref="export_filesystems_read_only"·selected="false"/> |
| 500 | ····<ns0:select·idref=" | 490 | ····<ns0:select·idref="configure_exports_restrictively"·selected="false"/> |
| 501 | ····<ns0:select·idref=" | 491 | ····<ns0:select·idref="use_acl_enforce_auth_restrictions"·selected="false"/> |
| 502 | ····<ns0:select·idref=" | 492 | ····<ns0:select·idref="disabling_nfs"·selected="false"/> |
| 503 | ····<ns0:select·idref="fi | 493 | ····<ns0:select·idref="disabling_nfs_services"·selected="false"/> |
| 504 | ····<ns0:select·idref=" | 494 | ····<ns0:select·idref="disabling_netfs"·selected="false"/> |
| 505 | ····<ns0:select·idref=" | 495 | ····<ns0:select·idref="nfs_configuring_all_machines"·selected="false"/> |
| 506 | ····<ns0:select·idref=" | 496 | ····<ns0:select·idref="nfs_configure_fixed_ports"·selected="false"/> |
| 507 | ····<ns0:select·idref=" | 497 | ····<ns0:select·idref="nfs_client_or_server_not_both"·selected="false"/> |
| 508 | ····<ns0:select·idref=" | 498 | ····<ns0:select·idref="disabling_nfsd"·selected="false"/> |
| 499 | ····<ns0:select·idref="sshd_strengthen_firewall"·selected="false"/> | ||
| 509 | ····<ns0:select·idref="configure_logwatch_on_logserver"·selected="false"/> | 500 | ····<ns0:select·idref="configure_logwatch_on_logserver"·selected="false"/> |
| 510 | ····<ns0:select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 501 | ····<ns0:select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 511 | ····<ns0:select·idref="network-ipsec"·selected="false"/> | 502 | ····<ns0:select·idref="network-ipsec"·selected="false"/> |
| 512 | ····<ns0:select·idref="iptables_icmp_disabled"·selected="false"/> | 503 | ····<ns0:select·idref="iptables_icmp_disabled"·selected="false"/> |
| 513 | ····<ns0:select·idref="iptables_log_and_drop_suspicious"·selected="false"/> | 504 | ····<ns0:select·idref="iptables_log_and_drop_suspicious"·selected="false"/> |
| 514 | ····<ns0:select·idref="network_ipv6_limit_requests"·selected="false"/> | 505 | ····<ns0:select·idref="network_ipv6_limit_requests"·selected="false"/> |
| 515 | ····<ns0:select·idref="disabling_ipv6"·selected="false"/> | 506 | ····<ns0:select·idref="disabling_ipv6"·selected="false"/> |
| Offset 517, 16 lines modified | Offset 508, 25 lines modified | ||
| 517 | ····<ns0:select·idref="network_disable_unused_interfaces"·selected="false"/> | 508 | ····<ns0:select·idref="network_disable_unused_interfaces"·selected="false"/> |
| 518 | ····<ns0:select·idref="account_expiration"·selected="false"/> | 509 | ····<ns0:select·idref="account_expiration"·selected="false"/> |
| 519 | ····<ns0:select·idref="smart_card_login"·selected="false"/> | 510 | ····<ns0:select·idref="smart_card_login"·selected="false"/> |
| 520 | ····<ns0:select·idref="gui_login_banner"·selected="false"/> | 511 | ····<ns0:select·idref="gui_login_banner"·selected="false"/> |
| 521 | ····<ns0:select·idref="user_umask"·selected="false"/> | 512 | ····<ns0:select·idref="user_umask"·selected="false"/> |
| 522 | ····<ns0:select·idref="entropy"·selected="false"/> | 513 | ····<ns0:select·idref="entropy"·selected="false"/> |
| 523 | ····<ns0:select·idref="daemon_umask"·selected="false"/> | 514 | ····<ns0:select·idref="daemon_umask"·selected="false"/> |
| 524 | ····<ns0:select·idref="coredumps"·selected="false"/> | ||
| 525 | ····<ns0:select·idref="enable_nx"·selected="false"/> | 515 | ····<ns0:select·idref="enable_nx"·selected="false"/> |
| 516 | ····<ns0:select·idref="coredumps"·selected="false"/> | ||
| 517 | ····<ns0:select·idref="sudo"·selected="false"/> | ||
| 518 | ····<ns0:select·idref="fips"·selected="false"/> | ||
| 519 | ····<ns0:select·idref="certified-vendor"·selected="false"/> | ||
| 520 | ····<ns0:select·idref="additional_security_software"·selected="false"/> | ||
| 521 | ····<ns0:select·idref="gnome_media_settings"·selected="false"/> | ||
| 522 | ····<ns0:select·idref="gnome_system_settings"·selected="false"/> | ||
| 523 | ····<ns0:select·idref="gnome_login_screen"·selected="false"/> | ||
| 524 | ····<ns0:select·idref="gnome_network_settings"·selected="false"/> | ||
| 525 | ····<ns0:select·idref="gnome_remote_access_settings"·selected="false"/> | ||
| 526 | ····<ns0:refine-value·idref="inactivity_timeout_value"·selector="15_minutes"/> | 526 | ····<ns0:refine-value·idref="inactivity_timeout_value"·selector="15_minutes"/> |
| 527 | ····<ns0:refine-value·idref="var_accounts_tmout"·selector="10_min"/> | 527 | ····<ns0:refine-value·idref="var_accounts_tmout"·selector="10_min"/> |
| 528 | ····<ns0:refine-value·idref="var_umask_for_daemons"·selector="027"/> | 528 | ····<ns0:refine-value·idref="var_umask_for_daemons"·selector="027"/> |
| 529 | ····<ns0:refine-value·idref="var_accounts_password_minlen_login_defs"·selector="15"/> | 529 | ····<ns0:refine-value·idref="var_accounts_password_minlen_login_defs"·selector="15"/> |
| 530 | ····<ns0:refine-value·idref="var_accounts_maximum_age_login_defs"·selector="90"/> | 530 | ····<ns0:refine-value·idref="var_accounts_maximum_age_login_defs"·selector="90"/> |
| 531 | ····<ns0:refine-value·idref="var_accounts_minimum_age_login_defs"·selector="7"/> | 531 | ····<ns0:refine-value·idref="var_accounts_minimum_age_login_defs"·selector="7"/> |
| 532 | ····<ns0:refine-value·idref="var_accounts_password_warn_age_login_defs"·selector="7"/> | 532 | ····<ns0:refine-value·idref="var_accounts_password_warn_age_login_defs"·selector="7"/> |
| Offset 557, 454 lines modified | Offset 557, 126 lines modified | ||
| 557 | ····<ns0:refine-value·idref="sysctl_net_ipv4_tcp_syncookies_value"·selector="enabled"/> | 557 | ····<ns0:refine-value·idref="sysctl_net_ipv4_tcp_syncookies_value"·selector="enabled"/> |
| 558 | ····<ns0:refine-value·idref="sysctl_net_ipv4_conf_all_rp_filter_value"·selector="enabled"/> | 558 | ····<ns0:refine-value·idref="sysctl_net_ipv4_conf_all_rp_filter_value"·selector="enabled"/> |
| 559 | ····<ns0:refine-value·idref="sysctl_net_ipv4_conf_default_rp_filter_value"·selector="enabled"/> | 559 | ····<ns0:refine-value·idref="sysctl_net_ipv4_conf_default_rp_filter_value"·selector="enabled"/> |
| 560 | ····<ns0:refine-value·idref="file_owner_logfiles_value"·selector="root"/> | 560 | ····<ns0:refine-value·idref="file_owner_logfiles_value"·selector="root"/> |
| 561 | ····<ns0:refine-value·idref="file_groupowner_logfiles_value"·selector="root"/> | 561 | ····<ns0:refine-value·idref="file_groupowner_logfiles_value"·selector="root"/> |
| 562 | ····<ns0:refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 562 | ····<ns0:refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 563 | ··</ns0:Profile> | 563 | ··</ns0:Profile> |
| 564 | ··<ns0:Profile·id=" | 564 | ··<ns0:Profile·id="standard"> |
| 565 | ····<ns0:title·override="true"·xml:lang="en-US"> | 565 | ····<ns0:title·override="true"·xml:lang="en-US">Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</ns0:title> |
| 566 | ····<ns0:description·override="true"·xml:lang="en-US">This·profile· | 566 | ····<ns0:description·override="true"·xml:lang="en-US">This·profile·contains·rules·to·ensure·standard·security·baseline |
| 567 | 567 | of·a·Red·Hat·Enterprise·Linux·6·system.·Regardless·of·your·system's·workload | |
| 568 | all·of·these·checks·should·pass.</ns0:description> | ||
| 568 | This·baseline·was·inspired·by·the·Center·for·Internet·Security | ||
| 569 | (CIS)·Red·Hat·Enterprise·Linux·6·Benchmark,·v1.2.0·-·06-25-2013. | ||
| 570 | For·the·SCAP·Security·Guide·project·to·remain·in·compliance·with | ||
| 571 | CIS'·terms·and·conditions,·specifically·Restrictions(8),·note· | ||
| 572 | there·is·no·representation·or·claim·that·the·C2S·profile·will | ||
| 573 | ensure·a·system·is·in·compliance·or·consistency·with·the·CIS | ||
| 574 | baseline.</ns0:description> | ||
| 575 | ····<ns0:select·idref="partition_for_tmp"·selected="true"/> | 569 | ····<ns0:select·idref="partition_for_tmp"·selected="true"/> |
| 576 | ····<ns0:select·idref="mount_option_tmp_nodev"·selected="true"/> | ||
| 577 | ····<ns0:select·idref="mount_option_tmp_nosuid"·selected="true"/> | ||
| Max diff block lines reached; 2514224/2524208 bytes (99.60%) of diff not shown. | |||
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> | 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> |
| 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> | 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> |
| 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> | 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> |
| 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> | 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> |
| 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> | 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> |
| 31 | ····</ns0:checks> | 31 | ····</ns0:checks> |
| 32 | ··</ns0:data-stream> | 32 | ··</ns0:data-stream> |
| 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="202 | 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-04-28T11:48:50"> |
| 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns3:generator> | 35 | ······<ns3:generator> |
| 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> | 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> |
| 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> | 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> |
| 38 | ········<ns5:schema_version>5.11</ns5:schema_version> | 38 | ········<ns5:schema_version>5.11</ns5:schema_version> |
| 39 | ········<ns5:timestamp>202 | 39 | ········<ns5:timestamp>2020-04-27T21:35:18</ns5:timestamp> |
| 40 | ······</ns3:generator> | 40 | ······</ns3:generator> |
| 41 | ······<ns3:definitions> | 41 | ······<ns3:definitions> |
| 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> | 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> |
| 43 | ··········<ns3:metadata> | 43 | ··········<ns3:metadata> |
| 44 | ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title> | 44 | ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title> |
| 45 | ············<ns3:affected·family="unix"> | 45 | ············<ns3:affected·family="unix"> |
| 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform> | 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform> |
| Offset 31871, 15 lines modified | Offset 31871, 15 lines modified | ||
| 31871 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 31871 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 31872 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 31872 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 31873 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 31873 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 31874 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 31874 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 31875 | ······</ns3:variables> | 31875 | ······</ns3:variables> |
| 31876 | ····</ns3:oval_definitions> | 31876 | ····</ns3:oval_definitions> |
| 31877 | ··</ns0:component> | 31877 | ··</ns0:component> |
| 31878 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="202 | 31878 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-04-28T11:48:50"> |
| 31879 | ····<ns9:ocil> | 31879 | ····<ns9:ocil> |
| 31880 | ······<ns9:generator> | 31880 | ······<ns9:generator> |
| 31881 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> | 31881 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> |
| 31882 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> | 31882 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> |
| 31883 | ········<ns9:schema_version>2.0</ns9:schema_version> | 31883 | ········<ns9:schema_version>2.0</ns9:schema_version> |
| 31884 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> | 31884 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> |
| 31885 | ······</ns9:generator> | 31885 | ······</ns9:generator> |
| Offset 31892, 36 lines modified | Offset 31892, 36 lines modified | ||
| 31892 | ········</ns9:questionnaire> | 31892 | ········</ns9:questionnaire> |
| 31893 | ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> | 31893 | ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> |
| 31894 | ··········<ns9:title>Disable·rlogin·Service</ns9:title> | 31894 | ··········<ns9:title>Disable·rlogin·Service</ns9:title> |
| 31895 | ··········<ns9:actions> | 31895 | ··········<ns9:actions> |
| 31896 | ············<ns9:test_action_ref>ocil:ssg-service_rlogin_disabled_action:testaction:1</ns9:test_action_ref> | 31896 | ············<ns9:test_action_ref>ocil:ssg-service_rlogin_disabled_action:testaction:1</ns9:test_action_ref> |
| 31897 | ··········</ns9:actions> | 31897 | ··········</ns9:actions> |
| 31898 | ········</ns9:questionnaire> | 31898 | ········</ns9:questionnaire> |
| 31899 | ········<ns9:questionnaire·id="ocil:ssg-ser | 31899 | ········<ns9:questionnaire·id="ocil:ssg-no_user_host_based_files_ocil:questionnaire:1"> |
| 31900 | ··········<ns9:title> | 31900 | ··········<ns9:title>Remove·User·Host-Based·Authentication·Files</ns9:title> |
| 31901 | ··········<ns9:actions> | 31901 | ··········<ns9:actions> |
| 31902 | ············<ns9:test_action_ref>ocil:ssg-ser | 31902 | ············<ns9:test_action_ref>ocil:ssg-no_user_host_based_files_action:testaction:1</ns9:test_action_ref> |
| 31903 | ··········</ns9:actions> | 31903 | ··········</ns9:actions> |
| 31904 | ········</ns9:questionnaire> | 31904 | ········</ns9:questionnaire> |
| 31905 | ········<ns9:questionnaire·id="ocil:ssg-no_host_based_files_ocil:questionnaire:1"> | 31905 | ········<ns9:questionnaire·id="ocil:ssg-no_host_based_files_ocil:questionnaire:1"> |
| 31906 | ··········<ns9:title>Remove·Host-Based·Authentication·Files</ns9:title> | 31906 | ··········<ns9:title>Remove·Host-Based·Authentication·Files</ns9:title> |
| 31907 | ··········<ns9:actions> | 31907 | ··········<ns9:actions> |
| 31908 | ············<ns9:test_action_ref>ocil:ssg-no_host_based_files_action:testaction:1</ns9:test_action_ref> | 31908 | ············<ns9:test_action_ref>ocil:ssg-no_host_based_files_action:testaction:1</ns9:test_action_ref> |
| 31909 | ··········</ns9:actions> | 31909 | ··········</ns9:actions> |
| 31910 | ········</ns9:questionnaire> | 31910 | ········</ns9:questionnaire> |
| 31911 | ········<ns9:questionnaire·id="ocil:ssg-service_rsh_disabled_ocil:questionnaire:1"> | 31911 | ········<ns9:questionnaire·id="ocil:ssg-service_rsh_disabled_ocil:questionnaire:1"> |
| 31912 | ··········<ns9:title>Disable·rsh·Service</ns9:title> | 31912 | ··········<ns9:title>Disable·rsh·Service</ns9:title> |
| 31913 | ··········<ns9:actions> | 31913 | ··········<ns9:actions> |
| 31914 | ············<ns9:test_action_ref>ocil:ssg-service_rsh_disabled_action:testaction:1</ns9:test_action_ref> | 31914 | ············<ns9:test_action_ref>ocil:ssg-service_rsh_disabled_action:testaction:1</ns9:test_action_ref> |
| 31915 | ··········</ns9:actions> | 31915 | ··········</ns9:actions> |
| 31916 | ········</ns9:questionnaire> | 31916 | ········</ns9:questionnaire> |
| 31917 | ········<ns9:questionnaire·id="ocil:ssg- | 31917 | ········<ns9:questionnaire·id="ocil:ssg-service_rexec_disabled_ocil:questionnaire:1"> |
| 31918 | ··········<ns9:title> | 31918 | ··········<ns9:title>Disable·rexec·Service</ns9:title> |
| 31919 | ··········<ns9:actions> | 31919 | ··········<ns9:actions> |
| 31920 | ············<ns9:test_action_ref>ocil:ssg- | 31920 | ············<ns9:test_action_ref>ocil:ssg-service_rexec_disabled_action:testaction:1</ns9:test_action_ref> |
| 31921 | ··········</ns9:actions> | 31921 | ··········</ns9:actions> |
| 31922 | ········</ns9:questionnaire> | 31922 | ········</ns9:questionnaire> |
| 31923 | ········<ns9:questionnaire·id="ocil:ssg-package_rsh-server_removed_ocil:questionnaire:1"> | 31923 | ········<ns9:questionnaire·id="ocil:ssg-package_rsh-server_removed_ocil:questionnaire:1"> |
| 31924 | ··········<ns9:title>Uninstall·rsh-server·Package</ns9:title> | 31924 | ··········<ns9:title>Uninstall·rsh-server·Package</ns9:title> |
| 31925 | ··········<ns9:actions> | 31925 | ··········<ns9:actions> |
| 31926 | ············<ns9:test_action_ref>ocil:ssg-package_rsh-server_removed_action:testaction:1</ns9:test_action_ref> | 31926 | ············<ns9:test_action_ref>ocil:ssg-package_rsh-server_removed_action:testaction:1</ns9:test_action_ref> |
| 31927 | ··········</ns9:actions> | 31927 | ··········</ns9:actions> |
| Offset 31976, 38 lines modified | Offset 31976, 38 lines modified | ||
| 31976 | ········</ns9:questionnaire> | 31976 | ········</ns9:questionnaire> |
| 31977 | ········<ns9:questionnaire·id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1"> | 31977 | ········<ns9:questionnaire·id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1"> |
| 31978 | ··········<ns9:title>Disable·tftp·Service</ns9:title> | 31978 | ··········<ns9:title>Disable·tftp·Service</ns9:title> |
| 31979 | ··········<ns9:actions> | 31979 | ··········<ns9:actions> |
| 31980 | ············<ns9:test_action_ref>ocil:ssg-service_tftp_disabled_action:testaction:1</ns9:test_action_ref> | 31980 | ············<ns9:test_action_ref>ocil:ssg-service_tftp_disabled_action:testaction:1</ns9:test_action_ref> |
| 31981 | ··········</ns9:actions> | 31981 | ··········</ns9:actions> |
| 31982 | ········</ns9:questionnaire> | 31982 | ········</ns9:questionnaire> |
| 31983 | ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> | ||
| 31984 | ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title> | ||
| 31985 | ··········<ns9:actions> | ||
| 31986 | ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref> | ||
| 31987 | ··········</ns9:actions> | ||
| 31988 | ········</ns9:questionnaire> | ||
| 31989 | ········<ns9:questionnaire·id="ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1"> | 31983 | ········<ns9:questionnaire·id="ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1"> |
| 31990 | ··········<ns9:title>Uninstall·tftp-server·Package</ns9:title> | 31984 | ··········<ns9:title>Uninstall·tftp-server·Package</ns9:title> |
| 31991 | ··········<ns9:actions> | 31985 | ··········<ns9:actions> |
| 31992 | ············<ns9:test_action_ref>ocil:ssg-package_tftp-server_removed_action:testaction:1</ns9:test_action_ref> | 31986 | ············<ns9:test_action_ref>ocil:ssg-package_tftp-server_removed_action:testaction:1</ns9:test_action_ref> |
| 31993 | ··········</ns9:actions> | 31987 | ··········</ns9:actions> |
| 31994 | ········</ns9:questionnaire> | 31988 | ········</ns9:questionnaire> |
| 31995 | ········<ns9:questionnaire·id="ocil:ssg- | 31989 | ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> |
| 31996 | ··········<ns9:title> | 31990 | ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title> |
| 31997 | ··········<ns9:actions> | 31991 | ··········<ns9:actions> |
| 31998 | ············<ns9:test_action_ref>ocil:ssg- | 31992 | ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref> |
| 31999 | ··········</ns9:actions> | 31993 | ··········</ns9:actions> |
| 32000 | ········</ns9:questionnaire> | 31994 | ········</ns9:questionnaire> |
| 32001 | ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | 31995 | ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> |
| 32002 | ··········<ns9:title>Disable·xinetd·Service</ns9:title> | 31996 | ··········<ns9:title>Disable·xinetd·Service</ns9:title> |
| 32003 | ··········<ns9:actions> | 31997 | ··········<ns9:actions> |
| 32004 | ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref> | 31998 | ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref> |
| 32005 | ··········</ns9:actions> | 31999 | ··········</ns9:actions> |
| 32006 | ········</ns9:questionnaire> | 32000 | ········</ns9:questionnaire> |
| 32001 | ········<ns9:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> | ||
| 32002 | ··········<ns9:title>Install·tcp_wrappers·Package</ns9:title> | ||
| 32003 | ··········<ns9:actions> | ||
| 32004 | ············<ns9:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns9:test_action_ref> | ||
| 32005 | ··········</ns9:actions> | ||
| 32006 | ········</ns9:questionnaire> | ||
| 32007 | ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> | 32007 | ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> |
| 32008 | ··········<ns9:title>Uninstall·xinetd·Package</ns9:title> | 32008 | ··········<ns9:title>Uninstall·xinetd·Package</ns9:title> |
| 32009 | ··········<ns9:actions> | 32009 | ··········<ns9:actions> |
| 32010 | ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref> | 32010 | ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref> |
| 32011 | ··········</ns9:actions> | 32011 | ··········</ns9:actions> |
| 32012 | ········</ns9:questionnaire> | 32012 | ········</ns9:questionnaire> |
| 32013 | ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> | 32013 | ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> |
| Offset 32018, 26 lines modified | Offset 32018, 26 lines modified | ||
| 32018 | ········</ns9:questionnaire> | 32018 | ········</ns9:questionnaire> |
| 32019 | ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> | 32019 | ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> |
| 32020 | ··········<ns9:title>Uninstall·talk-server·Package</ns9:title> | 32020 | ··········<ns9:title>Uninstall·talk-server·Package</ns9:title> |
| 32021 | ··········<ns9:actions> | 32021 | ··········<ns9:actions> |
| 32022 | ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref> | 32022 | ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref> |
| 32023 | ··········</ns9:actions> | 32023 | ··········</ns9:actions> |
| 32024 | ········</ns9:questionnaire> | 32024 | ········</ns9:questionnaire> |
| Max diff block lines reached; 5277576/5287269 bytes (99.82%) of diff not shown. | |||
| Offset 221, 14 lines modified | Offset 221, 266 lines modified | ||
| 221 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 221 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 222 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 222 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 223 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> | 223 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 224 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 224 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 225 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 225 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 226 | ··</ns0:metadata> | 226 | ··</ns0:metadata> |
| 227 | ··<ns0:model·system="urn:xccdf:scoring:default"/> | 227 | ··<ns0:model·system="urn:xccdf:scoring:default"/> |
| 228 | ··<ns0:Profile·id="standard"> | ||
| 229 | ····<ns0:title·override="true"·xml:lang="en-US">Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·7</ns0:title> | ||
| 230 | ····<ns0:description·override="true"·xml:lang="en-US">This·profile·contains·rules·to·ensure·standard·security·baseline | ||
| 231 | of·a·Red·Hat·Enterprise·Linux·7·system.·Regardless·of·your·system's·workload | ||
| 232 | all·of·these·checks·should·pass.</ns0:description> | ||
| 233 | ····<ns0:select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> | ||
| 234 | ····<ns0:select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> | ||
| 235 | ····<ns0:select·idref="rpm_verify_permissions"·selected="true"/> | ||
| 236 | ····<ns0:select·idref="rpm_verify_hashes"·selected="true"/> | ||
| 237 | ····<ns0:select·idref="security_patches_up_to_date"·selected="true"/> | ||
| 238 | ····<ns0:select·idref="no_empty_passwords"·selected="true"/> | ||
| 239 | ····<ns0:select·idref="file_permissions_unauthorized_sgid"·selected="true"/> | ||
| 240 | ····<ns0:select·idref="file_permissions_unauthorized_suid"·selected="true"/> | ||
| 241 | ····<ns0:select·idref="file_permissions_unauthorized_world_writable"·selected="true"/> | ||
| 242 | ····<ns0:select·idref="accounts_root_path_dirs_no_write"·selected="true"/> | ||
| 243 | ····<ns0:select·idref="dir_perms_world_writable_sticky_bits"·selected="true"/> | ||
| 244 | ····<ns0:select·idref="mount_option_dev_shm_nodev"·selected="true"/> | ||
| 245 | ····<ns0:select·idref="mount_option_dev_shm_nosuid"·selected="true"/> | ||
| 246 | ····<ns0:select·idref="partition_for_var_log"·selected="true"/> | ||
| 247 | ····<ns0:select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 248 | ····<ns0:select·idref="package_rsyslog_installed"·selected="true"/> | ||
| 249 | ····<ns0:select·idref="service_rsyslog_enabled"·selected="true"/> | ||
| 250 | ····<ns0:select·idref="audit_rules_time_adjtimex"·selected="true"/> | ||
| 251 | ····<ns0:select·idref="audit_rules_time_settimeofday"·selected="true"/> | ||
| 252 | ····<ns0:select·idref="audit_rules_time_stime"·selected="true"/> | ||
| 253 | ····<ns0:select·idref="audit_rules_time_clock_settime"·selected="true"/> | ||
| 254 | ····<ns0:select·idref="audit_rules_time_watch_localtime"·selected="true"/> | ||
| 255 | ····<ns0:select·idref="audit_rules_usergroup_modification"·selected="true"/> | ||
| 256 | ····<ns0:select·idref="audit_rules_networkconfig_modification"·selected="true"/> | ||
| 257 | ····<ns0:select·idref="audit_rules_mac_modification"·selected="true"/> | ||
| 258 | ····<ns0:select·idref="audit_rules_dac_modification_chmod"·selected="true"/> | ||
| 259 | ····<ns0:select·idref="audit_rules_dac_modification_chown"·selected="true"/> | ||
| 260 | ····<ns0:select·idref="audit_rules_dac_modification_fchmod"·selected="true"/> | ||
| 261 | ····<ns0:select·idref="audit_rules_dac_modification_fchmodat"·selected="true"/> | ||
| 262 | ····<ns0:select·idref="audit_rules_dac_modification_fchown"·selected="true"/> | ||
| 263 | ····<ns0:select·idref="audit_rules_dac_modification_fchownat"·selected="true"/> | ||
| 264 | ····<ns0:select·idref="audit_rules_dac_modification_fremovexattr"·selected="true"/> | ||
| 265 | ····<ns0:select·idref="audit_rules_dac_modification_fsetxattr"·selected="true"/> | ||
| 266 | ····<ns0:select·idref="audit_rules_dac_modification_lchown"·selected="true"/> | ||
| 267 | ····<ns0:select·idref="audit_rules_dac_modification_lremovexattr"·selected="true"/> | ||
| 268 | ····<ns0:select·idref="audit_rules_dac_modification_lsetxattr"·selected="true"/> | ||
| 269 | ····<ns0:select·idref="audit_rules_dac_modification_removexattr"·selected="true"/> | ||
| 270 | ····<ns0:select·idref="audit_rules_dac_modification_setxattr"·selected="true"/> | ||
| 271 | ····<ns0:select·idref="audit_rules_unsuccessful_file_modification"·selected="true"/> | ||
| 272 | ····<ns0:select·idref="audit_rules_privileged_commands"·selected="true"/> | ||
| 273 | ····<ns0:select·idref="audit_rules_media_export"·selected="true"/> | ||
| 274 | ····<ns0:select·idref="audit_rules_file_deletion_events"·selected="true"/> | ||
| 275 | ····<ns0:select·idref="audit_rules_sysadmin_actions"·selected="true"/> | ||
| 276 | ····<ns0:select·idref="audit_rules_kernel_module_loading"·selected="true"/> | ||
| 277 | ····<ns0:select·idref="service_abrtd_disabled"·selected="true"/> | ||
| 278 | ····<ns0:select·idref="service_atd_disabled"·selected="true"/> | ||
| 279 | ····<ns0:select·idref="service_autofs_disabled"·selected="true"/> | ||
| 280 | ····<ns0:select·idref="service_ntpdate_disabled"·selected="true"/> | ||
| 281 | ····<ns0:select·idref="service_oddjobd_disabled"·selected="true"/> | ||
| 282 | ····<ns0:select·idref="service_qpidd_disabled"·selected="true"/> | ||
| 283 | ····<ns0:select·idref="service_rdisc_disabled"·selected="true"/> | ||
| 284 | ····<ns0:select·idref="remediation_functions"·selected="false"/> | ||
| 285 | ····<ns0:select·idref="obsolete"·selected="false"/> | ||
| 286 | ····<ns0:select·idref="r_services"·selected="false"/> | ||
| 287 | ····<ns0:select·idref="telnet"·selected="false"/> | ||
| 288 | ····<ns0:select·idref="nis"·selected="false"/> | ||
| 289 | ····<ns0:select·idref="tftp"·selected="false"/> | ||
| 290 | ····<ns0:select·idref="inetd_and_xinetd"·selected="false"/> | ||
| 291 | ····<ns0:select·idref="talk"·selected="false"/> | ||
| 292 | ····<ns0:select·idref="openstack"·selected="false"/> | ||
| 293 | ····<ns0:select·idref="ftp"·selected="false"/> | ||
| 294 | ····<ns0:select·idref="ftp_configure_vsftpd"·selected="false"/> | ||
| 295 | ····<ns0:select·idref="ftp_configure_firewall"·selected="false"/> | ||
| 296 | ····<ns0:select·idref="ftp_restrict_users"·selected="false"/> | ||
| 297 | ····<ns0:select·idref="ftp_limit_users"·selected="false"/> | ||
| 298 | ····<ns0:select·idref="ftp_use_vsftpd"·selected="false"/> | ||
| 299 | ····<ns0:select·idref="disabling_vsftpd"·selected="false"/> | ||
| 300 | ····<ns0:select·idref="snmp"·selected="false"/> | ||
| 301 | ····<ns0:select·idref="snmp_configure_server"·selected="false"/> | ||
| 302 | ····<ns0:select·idref="disabling_snmp_service"·selected="false"/> | ||
| 303 | ····<ns0:select·idref="restrict_at_cron_users"·selected="false"/> | ||
| 304 | ····<ns0:select·idref="xwindows"·selected="false"/> | ||
| 305 | ····<ns0:select·idref="disabling_xwindows"·selected="false"/> | ||
| 306 | ····<ns0:select·idref="routing"·selected="false"/> | ||
| 307 | ····<ns0:select·idref="disabling_quagga"·selected="false"/> | ||
| 308 | ····<ns0:select·idref="dns"·selected="false"/> | ||
| 309 | ····<ns0:select·idref="dns_server_isolation"·selected="false"/> | ||
| 310 | ····<ns0:select·idref="dns_server_chroot"·selected="false"/> | ||
| 311 | ····<ns0:select·idref="dns_server_dedicated"·selected="false"/> | ||
| 312 | ····<ns0:select·idref="dns_server_protection"·selected="false"/> | ||
| 313 | ····<ns0:select·idref="dns_server_separate_internal_external"·selected="false"/> | ||
| 314 | ····<ns0:select·idref="dns_server_partition_with_views"·selected="false"/> | ||
| 315 | ····<ns0:select·idref="disabling_dns_server"·selected="false"/> | ||
| 316 | ····<ns0:select·idref="ldap"·selected="false"/> | ||
| 317 | ····<ns0:select·idref="openldap_server"·selected="false"/> | ||
| 318 | ····<ns0:select·idref="ldap_server_config_certificate_files"·selected="false"/> | ||
| 319 | ····<ns0:select·idref="openldap_client"·selected="false"/> | ||
| 320 | ····<ns0:select·idref="dhcp"·selected="false"/> | ||
| 321 | ····<ns0:select·idref="disabling_dhcp_client"·selected="false"/> | ||
| 322 | ····<ns0:select·idref="dhcp_server_configuration"·selected="false"/> | ||
| 323 | ····<ns0:select·idref="dhcp_server_minimize_served_info"·selected="false"/> | ||
| 324 | ····<ns0:select·idref="disabling_dhcp_server"·selected="false"/> | ||
| 325 | ····<ns0:select·idref="dhcp_client_configuration"·selected="false"/> | ||
| 326 | ····<ns0:select·idref="dhcp_client_restrict_options"·selected="false"/> | ||
| 327 | ····<ns0:select·idref="smb"·selected="false"/> | ||
| 328 | ····<ns0:select·idref="disabling_samba"·selected="false"/> | ||
| 329 | ····<ns0:select·idref="configuring_samba"·selected="false"/> | ||
| 330 | ····<ns0:select·idref="smb_disable_printing"·selected="false"/> | ||
| 331 | ····<ns0:select·idref="smb_restrict_file_sharing"·selected="false"/> | ||
| 332 | ····<ns0:select·idref="http"·selected="false"/> | ||
| 333 | ····<ns0:select·idref="installing_httpd"·selected="false"/> | ||
| 334 | ····<ns0:select·idref="httpd_minimal_modules_installed"·selected="false"/> | ||
| 335 | ····<ns0:select·idref="disabling_httpd"·selected="false"/> | ||
| 336 | ····<ns0:select·idref="securing_httpd"·selected="false"/> | ||
| 337 | ····<ns0:select·idref="httpd_restrict_info_leakage"·selected="false"/> | ||
| 338 | ····<ns0:select·idref="httpd_configure_os_protect_web_server"·selected="false"/> | ||
| 339 | ····<ns0:select·idref="httpd_chroot"·selected="false"/> | ||
| 340 | ····<ns0:select·idref="httpd_restrict_file_dir_access"·selected="false"/> | ||
| 341 | ····<ns0:select·idref="httpd_use_dos_protection_modules"·selected="false"/> | ||
| 342 | ····<ns0:select·idref="httpd_modules_improve_security"·selected="false"/> | ||
| 343 | ····<ns0:select·idref="httpd_deploy_mod_security"·selected="false"/> | ||
| 344 | ····<ns0:select·idref="httpd_deploy_mod_ssl"·selected="false"/> | ||
| 345 | ····<ns0:select·idref="httpd_directory_restrictions"·selected="false"/> | ||
| 346 | ····<ns0:select·idref="httpd_configure_php_securely"·selected="false"/> | ||
| 347 | ····<ns0:select·idref="httpd_minimize_loadable_modules"·selected="false"/> | ||
| Max diff block lines reached; 1890155/1907514 bytes (99.09%) of diff not shown. | |||